MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
SHA3-384 hash: 648620ab35fabb93f0b494daa11b4aecc22043ecd602ee4dcbe8a446dbeef8571143f6552488ec2117adf9a7096d8e71
SHA1 hash: 005bcb64a2a53144c5a0f74b11cd5babb0ce23d6
MD5 hash: d9edf1ab73748749c5a598fb78002faf
humanhash: louisiana-bluebird-mirror-cup
File name:d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
Download: download sample
Signature Formbook
Create hunting rule
File size:1'333'760 bytes
First seen:2025-12-08 15:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91d07a5e22681e70764519ae943a5883 (120 x Formbook, 32 x a310Logger, 27 x AgentTesla)
ssdeep 24576:qtb20pkaCqT5TBWgNQ7akg+pX9azxVGH5n6A:XVg5tQ7a50EzO55
Threatray 2'732 similar samples on MalwareBazaar
TLSH T1A055BF52E3DDC2A4D2314133B965B7116E3B7A2955B4F92F2FD8183CA87231211AFE27
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/4ae55cc1-eb89-4cb4-9846-354b3f84c165/
Malware family:
n/a
ID:
1
File name:
d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
Verdict:
No threats detected
Analysis date:
2025-12-08 21:17:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d2256fd6-eb7b-4a85-9211-4aec3f96cdec

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43363/
Detection(s):
Win.Trojan.Hzzv-7433640-0
Create hunting rule

Win.Trojan.Autoit-10037269-0
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936eaf2db58e1a2c22b8d91
Tags:
autoit emotet
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-17T20:09:00Z UTC
Last seen:
2025-12-09T22:18:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/354f4bf5-ea7d-4866-a4e3-cced8e442b80
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/d9edf1ab73748749c5a598fb78002faf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-11-18 00:47:51 UTC
File Type:
PE (Exe)
Extracted files:
29
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ch7l25qudsmahkwpnaymqlczwnuoot5ehnnmorvmjqovowtdkaa._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
formbook
Create hunting rule
Similar samples:
07351022141ffd0655322cbcb9bc66d32353fe5c7040d81324a2bceb23514126
Formbook
170c2b10322d1b2bbd5403091730544828633e2bdf59af1134b1ae1898a8d90c
Formbook
4139421ed55c3e312d485d67869250d329a4f2e50407e0fcddd74ee419abf216
Formbook
5fcfd8333c4687790ed53e4783d8b2ac2d082059f7f1b14e92dd24e41e831740
Formbook
90b33d8252b9470d19ac4aff278e6470c04bafe0a04cf143b61880257ca13157
Formbook
a21182bf32d320deebafbf52f06c370fe3762ec55793e09df10ce9e27bfe799a
Formbook
a2f35eb0011a96c25e98bccd89fa4f9ab9ab94e02ef9b0262ef455a72eb569a2
Formbook
b99465dde28898f671538e21692d17def78b40a44b6765093ce3940668614cc7
Formbook
e890b563d8866db21a60bd0eed524503a8769125f31949836da4c67ab1a704d9
Formbook
+ 2'722 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251208-skbvzaypdk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
Win.Trojan.Hzzv-7433640-0
YARA:
n/a
Link:
https://app.threat.zone/submission/1abdda4a-e168-44a4-a43c-9cc416d24d2f
Unpacked files
SH256 hash:
d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
MD5 hash:
d9edf1ab73748749c5a598fb78002faf
SHA1 hash:
005bcb64a2a53144c5a0f74b11cd5babb0ce23d6
Link:
https://www.unpac.me/results/5357904d-ac8e-46ff-b72c-60f9d7ae6921/
SH256 hash:
bd10b7d9aaf0db28a78f26831ac947b15f354a6322a986c50c89861af7f0512e
MD5 hash:
d1625de83588adc61e6fcc1ac4b23706
SHA1 hash:
dae6ea90cf21bca5149f7440cdff0081b44e666e
Link:
https://www.unpac.me/results/5357904d-ac8e-46ff-b72c-60f9d7ae6921/
SH256 hash:
828816d67a86cb0a3b30f54cca49097595565b8ef37f04746a6718d6dcc193db
MD5 hash:
ba9bf0a2f988639bea330e155ea0ff0a
SHA1 hash:
7b13a8b37dea0e4d5eda42fc8ece7d8d609eb4e0
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/5357904d-ac8e-46ff-b72c-60f9d7ae6921/
Parent samples :
5f2ed559648203a404d265f63274ea1ae0885facaa08a1ab1daa0679fef08eb6
a2f35eb0011a96c25e98bccd89fa4f9ab9ab94e02ef9b0262ef455a72eb569a2
d88ff5ebb0a0e4c01d567b41864162cd9b473a7d21dad63a356260eabad31a80
63abc40cb0e4c179daf5e149d679c13fb1d0711bab011fc38656d90512db0b63
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d88ff5ebb0a0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/43363/

Comments