MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c60cbde6033fe5a3bd5f127248959e1742e48aeae539ece6e137dd5179df34e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 19 File information Comments

SHA256 hash: c60cbde6033fe5a3bd5f127248959e1742e48aeae539ece6e137dd5179df34e7
SHA3-384 hash: d2cd3322ba67d11f5ca6de64a9a2352a13d2df7d4724d58fbac9de4496232822fdc8d5556f94c3560089e60d59729fcb
SHA1 hash: 65495e2dc520a54bd2970ef7fb4323e40860ad73
MD5 hash: f455803cf736015a73d4f03f165963df
humanhash: venus-summer-bacon-dakota
File name:PO_1400083954_PDF.bat
Download: download sample
Signature Formbook
File size:1'081'856 bytes
First seen:2026-07-02 14:47:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'079 x AgentTesla, 20'051 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:AslbyI7p+lMceqn8HSSzywJ3RGbn8sa6Uw:ACslMcTn8HqwGbnxa69
Threatray 2'968 similar samples on MalwareBazaar
TLSH T13B351224236EDB06C4BA4BF41970D3305BB86EC6B922D20B6FD97DDFB86A7905510783
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
1
# of downloads :
149
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
formbook
ID:
1
File name:
exe
Verdict:
Malicious activity
Analysis date:
2026-07-02 14:50:18 UTC
Tags:
auto-reg formbook xloader

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
70%
Tags:
micro spawn sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade packed phishing vbnet
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-07-02T04:53:00Z UTC
Last seen:
2026-07-02T06:11:00Z UTC
Hits:
~100
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Deletes itself after installation
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1936792 Sample: PO_1400083954_PDF.bat.exe Startdate: 02/07/2026 Architecture: WINDOWS Score: 100 65 www.asiaticlife.com 2->65 67 ax-0003.ax-dc-msedge.net 2->67 69 6 other IPs or domains 2->69 79 Multi AV Scanner detection for submitted file 2->79 81 Yara detected FormBook 2->81 83 Yara detected UAC Bypass using CMSTP 2->83 85 12 other signatures 2->85 11 PO_1400083954_PDF.bat.exe 1 6 2->11         started        15 powershell.exe 19 2->15         started        17 powershell.exe 20 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 57 C:\Users\user\AppData\Roaming\IybjDJDe.exe, PE32 11->57 dropped 59 C:\Users\...\IybjDJDe.exe:Zone.Identifier, ASCII 11->59 dropped 61 C:\Users\user\AppData\...\eyfm2b0t0ud.ps1, ASCII 11->61 dropped 63 C:\Users\...\PO_1400083954_PDF.bat.exe.log, ASCII 11->63 dropped 103 Creates autostart registry keys with suspicious values (likely registry only malware) 11->103 105 Creates an autostart registry key pointing to binary in C:\Windows 11->105 107 Injects a PE file into a foreign processes 11->107 109 Unusual module load detection (module proxying) 11->109 21 PO_1400083954_PDF.bat.exe 11->21         started        24 IybjDJDe.exe 3 15->24         started        26 conhost.exe 15->26         started        28 IybjDJDe.exe 2 17->28         started        30 conhost.exe 17->30         started        signatures6 process7 signatures8 87 Maps a DLL or memory area into another process 21->87 32 oPRNFG7AY.exe 21->32 injected 89 Multi AV Scanner detection for dropped file 24->89 91 Injects a PE file into a foreign processes 24->91 93 Unusual module load detection (module proxying) 24->93 34 IybjDJDe.exe 24->34         started        36 IybjDJDe.exe 28->36         started        38 IybjDJDe.exe 28->38         started        40 IybjDJDe.exe 28->40         started        process9 process10 42 dxdiag.exe 13 32->42         started        signatures11 95 Tries to steal Mail credentials (via file / registry access) 42->95 97 Tries to harvest and steal browser information (history, passwords, etc) 42->97 99 Deletes itself after installation 42->99 101 5 other signatures 42->101 45 explorer.exe 42->45         started        49 fBRJjoATVsi.exe 42->49 injected 51 chrome.exe 42->51         started        53 firefox.exe 42->53         started        process12 dnsIp13 71 ax-0003.ax-dc-msedge.net 150.171.29.12, 443, 49701 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 45->71 111 System process connects to network (likely due to code injection or exploit) 45->111 73 www.urbanxis.site 159.198.70.130, 49697, 49698, 49699 NAMECHEAP-NET-NamecheapIncUS United States 49->73 75 asiaticlife.com 167.235.222.200, 49691, 80 HETZNER-ASDE Germany 49->75 77 www.lullora.pro 172.67.164.45, 49692, 49694, 49695 CLOUDFLARENET-CloudflareIncUS Canada 49->77 55 WerFault.exe 51->55         started        signatures14 process15
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Status:
Malicious
First seen:
2026-07-02 08:21:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 36 (47.22%)
Threat level:
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:formbook adware collection discovery execution persistence rat spyware stealer trojan
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
c60cbde6033fe5a3bd5f127248959e1742e48aeae539ece6e137dd5179df34e7
MD5 hash:
f455803cf736015a73d4f03f165963df
SHA1 hash:
65495e2dc520a54bd2970ef7fb4323e40860ad73
SH256 hash:
013b3d82852b836c2a9cb2fa584510f2fe50ddc017d4117d1aa87ccba1f10ca3
MD5 hash:
98754dfabbd22dd9fd74b4592705fc6c
SHA1 hash:
140bdc0820a0e85c6573fbc3f7bfc43ab460e2d0
SH256 hash:
ecf184c700647d41b029f9b023edf03de76b1197bc04b1b71a192cbd4d0725e7
MD5 hash:
c0fa244ab901bd5dedf3b0859bf4db51
SHA1 hash:
4ae8bcdc4825abc93bee2fcbf790f97ecf92ae60
SH256 hash:
7ecd7c30d8c497605b65361b1adb3c6403db4729d7eea85e970fc3671c0fafd4
MD5 hash:
e952791def60b421a969a57881a9a54a
SHA1 hash:
38a67d10d00bfd092638e9f9a5f5042b1f4f028b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:pe_imphash
Rule name:pe_no_import_table
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c60cbde6033fe5a3bd5f127248959e1742e48aeae539ece6e137dd5179df34e7

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments