MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea
SHA3-384 hash: 5af44ff28bc6bb7e04ed1b4d3421e1126e3b68931f962df30f0c075471bbf13c2c7e78b66880cfd466fd3fcd61f1c351
SHA1 hash: 73730e52656d9337b3158107de8519afab35703e
MD5 hash: 05180dfe4d0d2c9ec409047a5989d6b9
humanhash: blossom-fish-butter-yankee
File name:Vessel_Particulars_Appointment_Letterpdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'085'440 bytes
First seen:2026-06-09 03:41:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:p1lzGX0kZb+NwZnhmM2LsI54wHXvrkAYN:pA16NwZnULjVYN
Threatray 173 similar samples on MalwareBazaar
TLSH T19435026C2A59CB07C9555B385EB2F2B902AD6DEE7500E3179FE97DFBB936B004C00192
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
157
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/0bb780d1-62c0-47b5-bf58-303cdedc674a/
Malware family:
n/a
ID:
1
File name:
_d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea.exe
Verdict:
No threats detected
Analysis date:
2026-06-09 03:43:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3dbf6928-037d-4a0b-a7ac-95b0ed6d2499

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70230/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a278ba6ae2f98c00a690afb
Tags:
stration shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6a278ba2554e843ff865a51a/reports/fb6e738e-4697-48a6-a3df-d06558a17a3b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-09T00:16:00Z UTC
Last seen:
2026-06-10T02:09:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-PSW.MSIL.Agensla.gen Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1c37f1e9-182d-4154-8cc6-4b4b4b850fce
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1924818
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1924818 Sample: Vessel_Particulars_Appointm... Startdate: 09/06/2026 Architecture: WINDOWS Score: 100 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected FormBook 2->30 32 5 other signatures 2->32 7 Vessel_Particulars_Appointment_Letterpdf.exe 4 2->7         started        process3 file4 24 Vessel_Particulars...t_Letterpdf.exe.log, ASCII 7->24 dropped 34 Adds a directory exclusion to Windows Defender 7->34 11 powershell.exe 23 7->11         started        14 Vessel_Particulars_Appointment_Letterpdf.exe 7->14         started        16 Vessel_Particulars_Appointment_Letterpdf.exe 7->16         started        signatures5 process6 signatures7 36 Loading BitLocker PowerShell Module 11->36 18 WmiPrvSE.exe 11->18         started        20 conhost.exe 11->20         started        22 WerFault.exe 21 16 14->22         started        process8
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-09 03:19:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
8 of 36 (22.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2az55jubasjjwy74xmtr44niqij2fdailh77w5mg6kxnlfxgnhva._file
Verdict:
malicious
Label(s):
volcanogodloader
Create hunting rule
Similar samples:
0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
Formbook
6c6902cea5aabd389064f34d992917cc003b0cc7f77696378682a10475a469f6
Formbook
9ba709e3e9389501c7a2dbf36e1d199bb8d878bb232a6bf49abf10d74854748d
Formbook
be1f829c0a12b713df49c8a8cf8dd1bca669b975b7ba147a9991d4ecb8d5a8cb
Formbook
cdb4f964fdb6348bd4e59b47cbd43a15bb41acac2098e41dc397f055147713c8
Formbook
cf2471d843cae60503efb1db4adc57e5f64ddf67ee15ee9314b4e9caf90bc309
Formbook
d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea
Formbook
error
Formbook
fc944b5465a41ab46b5ddaddd499c84170e2454ca6e5fce9987914aa8dba1cbc
Formbook
+ 163 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260609-d9kf3sby6l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea
MD5 hash:
05180dfe4d0d2c9ec409047a5989d6b9
SHA1 hash:
73730e52656d9337b3158107de8519afab35703e
Link:
https://www.unpac.me/results/191dd291-a7b0-4d28-8664-ffc398add276/
SH256 hash:
447285d17e69bf4504f54ca56164e53d92435371dba5a063a6cf6b1a44502d1c
MD5 hash:
dcdf438206b84cfc6bea85a4ecaa9187
SHA1 hash:
0e0421e38136fa8edb762b1eed7863c86da47809
Link:
https://www.unpac.me/results/191dd291-a7b0-4d28-8664-ffc398add276/
SH256 hash:
3da64ef57e22ee27503f881cb6d4da15e11fc51f4fedcc82f55d748241da67fb
MD5 hash:
aa2d28012c0b38bd4e5b864e14946b1f
SHA1 hash:
4e31030b2918e08792c6d772207f0f5d400da4bb
Link:
https://www.unpac.me/results/191dd291-a7b0-4d28-8664-ffc398add276/
SH256 hash:
1b7bc097c92735446793117427eb63e581aa3ea6982a75ec872cd27fbe2e9b5e
MD5 hash:
d3149fbfe65d3da08baca186a70bbcc7
SHA1 hash:
63a1460c9356fbda25d63119693c43d69637796f
Link:
https://www.unpac.me/results/191dd291-a7b0-4d28-8664-ffc398add276/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d033dea68104/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d033dea68104929b63fcbb271e71a88213a28c0859fffb7586f2aed596e669ea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70230/

Comments