MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 21 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688
SHA3-384 hash: 295c234d38aca18ca938fd7fdab2ed728dca4b61a91bf792ccf6e49a077361c3c6df129e3a3b877de1462b9fdd4b6d92
SHA1 hash: 41e56a6c257379cf9620722816c64bfe6d7da730
MD5 hash: 062c9c3724f7a8d7b820a33e621db087
humanhash: robert-bacon-hot-cola
File name:SecuriteInfo.com.Win32.MalwareX-gen.68132999
Download: download sample
Signature Formbook
Create hunting rule
File size:762'368 bytes
First seen:2026-02-13 08:22:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'799 x AgentTesla, 19'718 x Formbook, 12'278 x SnakeKeylogger)
ssdeep 12288:YQIV560rFVqghDQ1e6SfCHlPiV3zGKOOVEtQWp/JM2RE/eCN3ZjccnUiZEjIkXQ:YN56OC4DQ1eQtiVqdKBQRyWCN3ZRnUJ6
Threatray 2'709 similar samples on MalwareBazaar
TLSH T146F40214226ADE07D5510F744D72E3B80F79AE9CE852D203CFDABEEBB435B501986392
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
FR FR
Vendor Threat Intelligence
Malware configuration found for:
FormBook RoboSki
Details
FormBook
a decrypted component and its RC4 key
RoboSki
a decrypted ReZer0 component and possibly a decryption component
RoboSki
a Base64 + XOR/Sub-decrypted component, its associated key, a mutex, a filename, and ReZer0 configuration parameters including: a load type, a download URL and filename (if configured), an interval (if configured), and varying flags
Link:
https://research.acce.ciphertechsolutions.com/results/560f787e-7e85-4ea2-a7de-03f6daaa1a1d/
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.MalwareX-gen.68132999
Verdict:
No threats detected
Analysis date:
2026-02-13 08:46:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/afcd0a69-dbdd-4328-a699-d7457dae1ceb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53200/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.68132999.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698edf7c1c4b7b977f661b6e
Tags:
agenttesla virus msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
agenttesla krypt packed
Link:
https://www.filescan.io/uploads/698edf7a552d46acbff2ed0b/reports/d57d3ecd-1219-4a9b-9f34-e7a5e27dbb6c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-09T03:52:00Z UTC
Last seen:
2026-01-16T21:22:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0ebb9df-e34b-4315-85bf-d3d05d0a233e
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1773785
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1773785 Sample: xoZ6UWu3ZHg8RoQ.exe Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 33 www.trakio.xyz 2->33 35 www.switchcode.xyz 2->35 37 19 other IPs or domains 2->37 45 Suricata IDS alerts for network traffic 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 53 5 other signatures 2->53 11 xoZ6UWu3ZHg8RoQ.exe 3 2->11         started        signatures3 51 Performs DNS queries to domains with low reputation 35->51 process4 file5 31 C:\Users\user\...\xoZ6UWu3ZHg8RoQ.exe.log, ASCII 11->31 dropped 14 xoZ6UWu3ZHg8RoQ.exe 11->14         started        process6 signatures7 63 Maps a DLL or memory area into another process 14->63 17 5urhnXJjb0.exe 14->17 injected process8 process9 19 fsutil.exe 13 17->19         started        signatures10 55 Tries to steal Mail credentials (via file / registry access) 19->55 57 Tries to harvest and steal browser information (history, passwords, etc) 19->57 59 Modifies the context of a thread in another process (thread injection) 19->59 61 3 other signatures 19->61 22 y7Lexs2Oj.exe 19->22 injected 25 chrome.exe 19->25         started        27 firefox.exe 19->27         started        process11 dnsIp12 39 www.trakio.xyz 203.161.43.222, 49743, 49744, 49745 VNPT-AS-VNVNPTCorpVN Malaysia 22->39 41 www.taoindustries.group 217.160.0.112, 49767, 49768, 49769 ONEANDONE-ASBrauerstrasse48DE Germany 22->41 43 7 other IPs or domains 22->43 29 WerFault.exe 4 25->29         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86
Link:
https://app.malva.re/file/062c9c3724f7a8d7b820a33e621db087
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 08:28:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z6jyvhe4etpjnae3ipxqbzifi6qt2cv3wx6dmdbtze6wu2ncy2ea._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Formbook
542cc164aa04d17dcb1abc62c982d85db3774587b08af2c13e97aba02d164562
Formbook
5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0
Formbook
5c14649f341b72c153a02cc99d0852f7b0ded81f67a6513af7d188dfdce5a53e
Formbook
674b492473c8055decf69d41cf511912178127b104a0aac346770cc919aff31a
Formbook
858533276fe2058efd23b93879c692facaf413579f528c248b3b1be66b4cca97
Formbook
e087ef304badb09dbb8b38a88337c5e2d4a0d3fc174d75817e622fdd8f5a6722
Formbook
e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
Formbook
+ 2'699 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260213-j99nvsgv8h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688
MD5 hash:
062c9c3724f7a8d7b820a33e621db087
SHA1 hash:
41e56a6c257379cf9620722816c64bfe6d7da730
Link:
https://www.unpac.me/results/313cef4c-d80f-49f2-ba4c-44012d4f9531/
SH256 hash:
1b61f9edcd7ce9b65cb95a9cdc20023f15eecc475669c06adcf965d43ee552ec
MD5 hash:
4911237feed2d7d142fcab04878f8a06
SHA1 hash:
1e6a2fb1dba79dcf8b7d22e7653f6bce69c77ee4
Link:
https://www.unpac.me/results/313cef4c-d80f-49f2-ba4c-44012d4f9531/
SH256 hash:
0737923650ba8edfeb7944303e22b08215c0623f016fd2a8e74f3ec67d4186e7
MD5 hash:
7469f8f547f7b8ddf4f88a52acd3dea4
SHA1 hash:
573573c2f7f8441a36ff582484dbab739b229465
Link:
https://www.unpac.me/results/313cef4c-d80f-49f2-ba4c-44012d4f9531/
SH256 hash:
ec5df49adeb609fc37fca9ace1238ad226fd2c2b4d63f14d9dbe4eea0c241024
MD5 hash:
d680596d66eae3c425fa536dbfbbc743
SHA1 hash:
6ca8d79bb6196521dc1e410a012b7373f45c4e6d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/313cef4c-d80f-49f2-ba4c-44012d4f9531/
SH256 hash:
8bc027757a422fb334c63350bc79488920d7e78fa7398c72934b978df410215d
MD5 hash:
42e2f326335ce5bb45607fbf606e344e
SHA1 hash:
a4e02f471abf8b8abc4a1993c232600e662500d9
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/313cef4c-d80f-49f2-ba4c-44012d4f9531/
Parent samples :
bc16ea0319477e9b3f88c99b56dc71baf4f7f21d69274f391362f37fb763cf19
c387e0b0e9f50043143b28faf9c15058689c2b3e7f9fb533e3b2f2be3ad95a0b
dcb691b089fa29be68bf87b37c40b0ce085b8c406eb78ce8e80ec80bf524f1e3
1f116fc881ebc63e82da31c51e4748961f138b2b8f83f948c6605282135ea6e7
f1f024ecf670402056cb215338dfbb8de5c25671f9e5e127b9df197dc972bac3
a1aac69e61fbf0ab4f4d04092f73857d04743117f74b0b78dddc0c382659390a
62016848b8c42b05e7e94628f567892628da294cf4b2bb35c7ff9ca4e7369715
f980f36e53756a9a63992d61749e45842f2e2a2a23b297c886dadf41a3b01e9c
9037c923df1785d5acc630ddfd5155b30abac35380613777e123fdd8fd5d2028
7a5c911064b8a4ec0d503c16a16ee46f974fdd35324c9dfe4cbb7cc537686fd3
cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688
8423546740ef45fb67130769bb418074104ad21cb516ba7845d11d8049ccab5d
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf938a9c9c24/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf938a9c9c24de96809b43ef00e50547a13d0abbb5fc360c33c93d6a69a2c688

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/53200/

Comments