MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 21


Intelligence 21 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
SHA3-384 hash: b01c4f0ad5a1bdccf70750eaf748da0916bf544ce952a26a3f5231c4d014abaad4a46d837a155be9139d0cd2c71876b4
SHA1 hash: 37c926e6110d860c568341cddf89b6cb4d729d06
MD5 hash: 6508402debef3fe6e447f7b160e50270
humanhash: cup-blue-artist-social
File name:PO#890TK.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:798'208 bytes
First seen:2025-09-09 13:13:30 UTC
Last seen:2025-09-15 06:57:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LAcRn9+QIV5nb0N1/ld94a2SSpp6nbxlqJRNrqLCRJKAlVIXyrQokkMerchg:LA+9+N5noN19d94Xdp21CUg0xyrQ6P
Threatray 2'823 similar samples on MalwareBazaar
TLSH T18905CF9032AD8907E1B64AF04971E2B11BB67E5D766AC2CE9DC12CDF38F1F444A42B47
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
96
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
PO890TK.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 13:21:19 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/f11ccc5b-ed96-4359-9c56-d7812675be27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26481/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.8873.27540.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c02841b2005259887929a6
Tags:
phishing virus krypt msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed packer_detected phishing
Link:
https://www.filescan.io/uploads/68c0290542dabcf86d4d73b1/reports/b3384889-4c08-4b32-b42e-db334a03bf68/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T23:30:00Z UTC
Last seen:
2025-09-08T23:30:00Z UTC
Hits:
~1000
Detections:
Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Agent.sb Trojan-Spy.Win32.Noon.sb Trojan.Win32.Agent.sb Backdoor.Agent.HTTP.C&C Trojan.MSIL.Taskun.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Win32.Blakken.sb Trojan.Win32.SpeedBit.sb HEUR:Trojan-Spy.MSIL.Noon.gen HEUR:Trojan.MSIL.Injector.gen Trojan.MSIL.Inject.sb VHO:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d45c1fcf-967c-49f9-99f6-b011e1f6b3b1
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.19 Win 32 Exe x86
Link:
https://app.malva.re/file/6508402debef3fe6e447f7b160e50270
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 04:35:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
40
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=27degjfu6kyk5tgqyerum6ekkkcsxmyrtelu5rxwtgspbxcp52fa._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
212151a618e9234e1c746f364ae9f98f12a2198c0ac9c4b3058d056541163240
Formbook
3f56b75e0a22acce7e85ba3b5e24ba8ccdfc573929376671a0ababd8a5db6686
Formbook
41eaa4d9ca00fdef1f8ac2b02ffbb0498b8ed8565916247c20b4a41beaa102a8
Formbook
602caaecd7dca945a17cbe1522c89c7e6cb52330d2865f77637652009271553c
Formbook
617bf6800d42409a74ae0539d3e3ffc412e6c4bb137c232159c3ca946bc0fcdd
Formbook
89369898ebf3b91a1f28cecd38382b3f47d32e0cbde22543b1ece74c25c03eef
Formbook
94976e161177276c6c1f03697f87bbbda781fedb937342a311728f51a3bce501
Formbook
b456996591120e1dddad01bcd6651f37ee3a30644d7ef77c3e41c21189615404
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
error
Formbook
+ 2'813 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ol06 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250909-qj3wysbm4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae9f8628-ba27-40b9-9d40-e9a0f4761ec9
Unpacked files
SH256 hash:
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
MD5 hash:
6508402debef3fe6e447f7b160e50270
SHA1 hash:
37c926e6110d860c568341cddf89b6cb4d729d06
Link:
https://www.unpac.me/results/0abdef70-d309-43d2-85b9-d3d547039589/
SH256 hash:
12dda0cd3b378fbced3071df357733426bb09e47c31fcc3ba6273650f67895dc
MD5 hash:
773c55854eb467033abb78bc2b667f80
SHA1 hash:
54bfd694185cd257abb4ee6b477dba12b971b9b9
Link:
https://www.unpac.me/results/0abdef70-d309-43d2-85b9-d3d547039589/
SH256 hash:
e76c27f6cdf677771fa6d70043d7f2f60030d87c6adb06200a1f172a9481a710
MD5 hash:
567e00fc0fd2b4edc502757f3169e84e
SHA1 hash:
c7fffd3e4605d4ba20669cc15f8f0d0c7cdc3a08
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0abdef70-d309-43d2-85b9-d3d547039589/
SH256 hash:
208f30f5ea416b321cbaf4768dd3bddea682d0747509991e21f46a88fb2d0048
MD5 hash:
053eb6c500c3252aa6d8c28a604ba328
SHA1 hash:
df774410d4dddfd86bbc4f5dfe3e7ffc2c15672d
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/0abdef70-d309-43d2-85b9-d3d547039589/
Parent samples :
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
e1f4bf968e975bdb45e48107ef68200d53e96ee2598b44e1f424ab7e298b4e52
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7c64324b4f2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26481/

Comments