MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 27 File information Comments

SHA256 hash:	bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67
SHA3-384 hash:	6ef89650ceeb8a0a50e2867a4834acabc27a8c8e76ee3b491fe73ab0c5c682de46b1e3d5cd50d3ae54803354b5ebd35b
SHA1 hash:	7672e8f11401fe165b87f4b98839c7f5cdf58025
MD5 hash:	304d22344cb0aedcb6763bf6cb66ee0f
humanhash:	paris-twenty-network-batman
File name:	SecuriteInfo.com.Win32.MalwareX-gen.53134473
Download:	download sample
Signature	Formbook Create hunting rule
File size:	686'592 bytes
First seen:	2026-02-13 08:24:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'820 x AgentTesla, 19'743 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	12288:uf64LAlfNxqGfKmQLr5AjIXcVY9Q3EkFHdUfAr+rDAQq/EJ0UWe2l8q+oUY7:uu5tVcQIxQjFHyf4ojCrC+UY7
Threatray	2'686 similar samples on MalwareBazaar
TLSH	T139E401E03E66A716CD7503309929FCB852682E687011BEE75DDCBF97B3CA250690CF16
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

RoboSki

Details

RoboSki

a decrypted ReZer0 component and possibly a decryption component

RoboSki

a Base64 + XOR/Sub-decrypted component, its associated key, a mutex, a filename, and ReZer0 configuration parameters including: a load type, a download URL and filename (if configured), an interval (if configured), and varying flags

Link:

https://research.acce.ciphertechsolutions.com/results/e157e8fe-f3d0-4480-9201-cdfb022f4516/

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Win32.MalwareX-gen.53134473

Verdict:

No threats detected

Analysis date:

2026-02-13 08:30:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/aefbd377-9bcf-4a90-aa06-228406bc404b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/53217/

Detection(s):

SecuriteInfo.com.Win32.MalwareX-gen.53134473.UNOFFICIAL

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=698edfe876589225f6663de9

Tags:

malware

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-12-16T04:40:00Z UTC

Last seen:

2025-12-17T04:50:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/12ac2689-d872-4b4f-a0d1-d33606940154

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.46 Win 32 Exe x86

Link:

https://app.malva.re/file/304d22344cb0aedcb6763bf6cb66ee0f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2026-02-13 09:14:55 UTC

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xvrvfuwmmwsp6y3pgj3zt5wpblrhcxgltx222walcvcikoymtvtq._file

Verdict:

malicious

Label(s):

formbook

Formbook

5756e25b85cd80cc50822ff08493723729b4f99d37d2a0e26a4a0fa244c7db15

Formbook

7c633bc400a4cb90c89b5223fcb5401dc0cc08c0a441b11b7fb6dd3774f4a0be

Formbook

8409c2dbea8abea1f92301840dbd317620a985ccf323fb3df04ae51703786cb6

Formbook

9a79193b40c2ec6accfa36696cdad711db7b4ca0d1dec4b1158d4b461017dedc

Formbook

ecd80dc690eee6d7f89ad7f036aed2000c548440fabd8df91ab539307eb317aa

Formbook

error

Formbook

f239532b415d0769dea6827221c226555e1c4bda21ecd050041d829021c52d52

Formbook

f7f0d0bcd56c2b929b687aa0c15305be4f71495d0b1ce5609fed155ddb0c016c

Formbook

+ 2'676 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/260213-kayb8agw5b/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Unpacked files

SH256 hash:

bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67

MD5 hash:

304d22344cb0aedcb6763bf6cb66ee0f

SHA1 hash:

7672e8f11401fe165b87f4b98839c7f5cdf58025

Link:

https://www.unpac.me/results/f8497e76-02bb-468e-929f-cf3d110d6e2b/

SH256 hash:

f7eb663a0675db35d1e15b18012b97307cc0354e4a8068cc140c282980799b2b

MD5 hash:

020499decff9caaed0e0ea960af5e034

SHA1 hash:

5f991ffff71071e3d5a8b1d8ddd966d6db00463a

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

Link:

https://www.unpac.me/results/f8497e76-02bb-468e-929f-cf3d110d6e2b/

Parent samples :

303cbaa4832011373afc6bbf1d761a470f4e9111cdd32112f12db68f2d19d5c3
c01020bddf0722615647d37dffb887e4110e7d20074ec1ac525ebe00a036c2e9
9569089d9460ec165d7c01d889e239a16155515867d198e8664e4327d07142b3
7a963fe0d1784af8a2cb69eabc7499cc6255a7212a27f3f1af4a93742e6a934c
59b9ff739510ae6d1741c1835e79281a9394213e431627b11286a5691da49961
bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67

SH256 hash:

b53138cf66d35b1a837de4336fa5c427205a17a58ce592d10dca84a5f5cc941b

MD5 hash:

f42d9f288d6a289568f53e82bbc71668

SHA1 hash:

726dadc08cae63e42fbcb85af7522f42d2feaff9

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/f8497e76-02bb-468e-929f-cf3d110d6e2b/

SH256 hash:

a9e691518ea41e0fe1421582a29347b5629e6e32cbe927084b96f3e8a04e4cd9

MD5 hash:

be2396fecdca1b5d136666bfcc43c3b1

SHA1 hash:

966f9d6443e9117a6f7eff42d76e52113b7d9f49

Link:

https://www.unpac.me/results/f8497e76-02bb-468e-929f-cf3d110d6e2b/

SH256 hash:

5a0f8ec4059f384e432b10d4d678e3e4f8c2b723216e4e459750007750c33610

MD5 hash:

a1218cabacfb26cca116843ee698174a

SHA1 hash:

39f36bf72b177b4f7dbb99ae161e31aa2f2da065

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/f8497e76-02bb-468e-929f-cf3d110d6e2b/

Parent samples :

6ac566e9a69e4bd338cfa6665c04a954c891fc5c09698ae85a40d9565796f481
bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/bd6352d2cc65/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bd6352d2cc65a4ff636f327799f6cf0ae2715ccb9df5ad580b1544853b0c9d67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/53217/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample