MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 16
| SHA256 hash: | dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b |
|---|---|
| SHA3-384 hash: | 0ef0d1cac1a10012ecada4e220a23136b09c3948c6f6020e0e0d4b23724c04938c5fddeb88cdad31544dd598166d0b9e |
| SHA1 hash: | 7c359217004c0974f77d402497e1faeb1df0ed0c |
| MD5 hash: | 7184ed41bc9b212283d8c55fcdf9f348 |
| humanhash: | avocado-four-papa-yankee |
| File name: | dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b |
| Download: | download sample |
| Signature | Formbook |
| File size: | 1'101'824 bytes |
| First seen: | 2025-09-05 13:38:50 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 91d07a5e22681e70764519ae943a5883 (93 x Formbook, 14 x RemcosRAT, 11 x AgentTesla) |
| ssdeep | 24576:8tb20pkaCqT5TBWgNQ7aT7Xuswa8tb6A:lVg5tQ7aT7sx5 |
| TLSH | T1FC35CF1273DEC365C3B25273BA267701AEBB782506A1F56B2FD4093DF920122525EB73 |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| Reporter |  adrian__luca |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
104
Origin country :
HUVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b
Verdict:
No threats detected
Analysis date:
2025-09-06 00:45:41 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Verdict:
Malicious
Score:
99.1%
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
DNS request
Сreating synchronization primitives
Launching cmd.exe command interpreter
Connection attempt
Setting browser functions hooks
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context autoit compiled-script fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected
Verdict:
Malicious
Labled as:
Trojan.Generic
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-29T17:14:00Z UTC
Last seen:
2025-08-29T17:14:00Z UTC
Hits:
~100
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Threat name:
Win32.Trojan.Etset
Status:
Malicious
First seen:
2025-08-30 00:31:11 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
21 of 24 (87.50%)
Threat level:
5/5
Detection(s):
Malicious file
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook campaign:b19x discovery rat spyware stealer trojan
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Unpacked files
SH256 hash:
dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b
MD5 hash:
7184ed41bc9b212283d8c55fcdf9f348
SHA1 hash:
7c359217004c0974f77d402497e1faeb1df0ed0c
SH256 hash:
b091f6ad53118a1f608aefc2be7d47e75a8c3e72e0e118ebcf98e7469bab07aa
MD5 hash:
df816e9879643f7070eafc6328fbfda0
SHA1 hash:
bb66ecc275fdef5bb8d15ead3b400cc05dd1c5df
Detections:
win_formbook_w0
win_formbook_g0
win_formbook_auto
FormBook
Windows_Trojan_Formbook
Formbook
Parent samples :
e73c05dcca84ba611c3dac5e498c600d33cea3df540aebbd9de1cf78c52851de
51ed3754e84d112a11271f10693058541e7190f28fcddad4388ca52bb22dc081
9a9462484d951513f3df6e77a7960211c539fd00cb887098a3080ceb330dedfe
41eaa4d9ca00fdef1f8ac2b02ffbb0498b8ed8565916247c20b4a41beaa102a8
9e08235a1ee9df4857b8bdb391e552272f34f7d517a1e2aadea599ce7cfb0da4
3a3ae02ddba7f8bd4930c66e0b655e7aef3235181a5292b94eb8be477c0e213a
dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b
51ed3754e84d112a11271f10693058541e7190f28fcddad4388ca52bb22dc081
9a9462484d951513f3df6e77a7960211c539fd00cb887098a3080ceb330dedfe
41eaa4d9ca00fdef1f8ac2b02ffbb0498b8ed8565916247c20b4a41beaa102a8
9e08235a1ee9df4857b8bdb391e552272f34f7d517a1e2aadea599ce7cfb0da4
3a3ae02ddba7f8bd4930c66e0b655e7aef3235181a5292b94eb8be477c0e213a
dfdbf3ff165aa2e92982c0f1ac53c7ee28f7d78fa39027386934ba98fbe5b62b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | CP_AllMal_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__GlobalFlags |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Active |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | dgaagas |
|---|---|
| Author: | Harshit |
| Description: | Uses certutil.exe to download a file named test.txt |
| Rule name: | Formbook |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Formbook in memory |
| Reference: | internal research |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | meth_stackstrings |
|---|---|
| Author: | Willi Ballenthin |
| Rule name: | pe_no_import_table |
|---|---|
| Description: | Detect pe file that no import table |
| Rule name: | RANSOMWARE |
|---|---|
| Author: | ToroGuitar |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | Sus_Obf_Enc_Spoof_Hide_PE |
|---|---|
| Author: | XiAnzheng |
| Description: | Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP) |
| Rule name: | Windows_Trojan_Formbook |
|---|---|
| Author: | @malgamy12 |
| Rule name: | Windows_Trojan_Formbook_1112e116 |
|---|---|
| Author: | Elastic Security |
| Reference: | https://www.elastic.co/security-labs/formbook-adopts-cab-less-approach |
| Rule name: | win_formbook_auto |
|---|---|
| Author: | Felix Bilstein - yara-signator at cocacoding dot com |
| Description: | Detects win.formbook. |
| Rule name: | win_formbook_w0 |
|---|---|
| Author: | @malgamy12 |
| Rule name: | YahLover |
|---|---|
| Author: | Kevin Falcoz |
| Description: | YahLover |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.