MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b
SHA3-384 hash: 7a91da89b3ec964a6d75634161114b7355a250bbedb68e7f3ab0948b3327d38821b3beb218d8a3c6aec7ed185fad7b49
SHA1 hash: 1a3728f788bcc15899efc8f1f9be8030c81aeab2
MD5 hash: 55c321f4cbdae3231b1bb27243186da2
humanhash: cold-fanta-speaker-equal
File name:xloader.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:294'912 bytes
First seen:2025-09-11 13:56:33 UTC
Last seen:2025-09-19 10:02:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:EKvitOa1pISSaUD5vc2qkX3MOA1IWLEGKoS4riWqub5MG:EKvuiSDYZc2qkX8917L1KoS4b/i
Threatray 1'041 similar samples on MalwareBazaar
TLSH T16154223794869538D4BDB431BB7F3E281A8E8FC84E04671687CB2D67C4A0D4A16E49CD
TrID 35.7% (.EXE) Win32 Executable (generic) (4504/4/1)
16.3% (.ICL) Windows Icons Library (generic) (2059/9)
16.1% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter James_inthe_box
Tags:exe FormBook gooder-bar

Intelligence

File Origin
# of uploads :
2
# of downloads :
121
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
xloader.exe
Verdict:
No threats detected
Analysis date:
2025-09-11 13:59:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bb4ecdf7-d1cf-4f8d-a18c-c037ac331f97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26923/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2d51d6e66ba602d7a6fb4
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
crypt microsoft_visual_cc overlay packed zero
Link:
https://www.filescan.io/uploads/68c2d51fdbc6f5a29c40216a/reports/77c1e7cf-0bbd-4bea-896f-d00313ddc479/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-09T23:38:00Z UTC
Last seen:
2025-09-09T23:38:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8e9d45ed-cd86-44dd-828f-ac34e44e0377
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/55c321f4cbdae3231b1bb27243186da2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-10 05:37:42 UTC
File Type:
PE (Exe)
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wbkag76zn62lgnibuzzlujwq5264amdbzp66wib6d5iy2lxnkuvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0002a2f7d00d1d6c5289a0c6915c6a761145586b191c03d6ae9320ac487c9ed3
Formbook
3d488c7e2ce30c599303d4fc4bdc43692f80cc7e5e6feb1993197d97503f7dc3
Formbook
4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
Formbook
5546bd925d3a06f12ca0509af5db9539517039a2e3ba1f6f942b36f3e0115c8e
Formbook
6b6662c1050599805c0a20155ca0c8fdb566858e1914e273a69f572a5e3e61ef
Formbook
72e85d4b56147bbf739b9d717f2274a1a0bfb44188ba6d394e2829b8a4e024ed
Formbook
7343fde1eb7ed90af6b923297177ae109f2ff9b8e86cee4f5961cf619fad81f4
Formbook
7e2f600443bbc2848ee277e188f5b7095d6c203d8e023a84224ba8dbb3532234
Formbook
adf8f2572d50a7af9af7512742520644479904c5973cad6aafa5b6e83516e36f
Formbook
error
Formbook
fb114b07eab8c5dd7faf8dc1b15f79cda7043f283f17c2c89797c57112d926d1
Formbook
+ 1'031 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250911-q82p7aznz5/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/36e6bf1a-573f-450e-9629-643c52121d0b
Unpacked files
SH256 hash:
b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b
MD5 hash:
55c321f4cbdae3231b1bb27243186da2
SHA1 hash:
1a3728f788bcc15899efc8f1f9be8030c81aeab2
Link:
https://www.unpac.me/results/0cb11533-6e0a-4bc1-af55-df9090264ee3/
SH256 hash:
cc41fd949c77aa2726f1ca115ce3ff3affa8e857b5099bd7722ce055b0cafa50
MD5 hash:
cce1947576505df2c6e78003798f9764
SHA1 hash:
183f56f4fda79fb841c80cc1badfe232a8f7ce7f
Link:
https://www.unpac.me/results/0cb11533-6e0a-4bc1-af55-df9090264ee3/
SH256 hash:
58d634f94f2e0b9217ab43d8552f1442494badf25537d327ceaf59c0fd032862
MD5 hash:
bc78c025e189c60ab8ffb2a755bc416b
SHA1 hash:
f9b7dcdacef4edcbfecda90238a59e8649c85a2b
Link:
https://www.unpac.me/results/0cb11533-6e0a-4bc1-af55-df9090264ee3/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b054037fd96f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/b054037fd96fb4b33501a672ba26d0eebdc03061cbfdeb203e1f518d2eed552b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26923/

Comments