MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
SHA3-384 hash: bb65d8d5ddb90474e954efa27765369c516ce71859a64de9ddede1608da53f9befe0ac72de4d66554ff2a52aa25b32e5
SHA1 hash: 4b5b274aaebde8f6a5d9ddb6ceba7c29c8d0ce6a
MD5 hash: f7d5f89496e796664f747e961241c015
humanhash: winter-may-romeo-spring
File name:MV MLS AMBER SPECIFICATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'008'640 bytes
First seen:2026-01-19 02:37:23 UTC
Last seen:2026-02-05 15:18:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'814 x AgentTesla, 19'736 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 24576:t8fyA+I73SDGlpWZ9uk8mFt0IejpgjBC+UJfxFO8i0Z:OyliCCk8m7HjBZMFlZ
TLSH T1A025016473AFEB03C9250B744860F27413361D9EEA40E3565ED87EEFB975F184A90A83
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/cee67251-1638-4cec-8ef1-e2d11a7d1508/
Malware family:
n/a
ID:
1
File name:
MV MLS AMBER SPECIFICATION.exe
Verdict:
No threats detected
Analysis date:
2026-01-19 02:39:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f2495f7-a523-46dc-bedd-b1e34f5cf6f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49289/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696d9924bcad3327ec063af8
Tags:
malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt packed
Link:
https://www.filescan.io/uploads/696d99203dd9d209505958f6/reports/32b5c203-e8be-43ea-89ae-12ef27fcbd56/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-18T22:31:00Z UTC
Last seen:
2026-01-21T00:04:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Crypt.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest
Link:
https://opentip.kaspersky.com/e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dc6d1f8a-cd05-4eb0-ba4a-8f0a9f22f6a0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1853058
Signature
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1853058 Sample: MV MLS AMBER SPECIFICATION.exe Startdate: 19/01/2026 Architecture: WINDOWS Score: 100 35 www.yaliro.xyz 2->35 37 s3.ueyzqqnhdwf.top 2->37 39 8 other IPs or domains 2->39 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected FormBook 2->51 55 4 other signatures 2->55 11 MV MLS AMBER SPECIFICATION.exe 4 2->11         started        signatures3 53 Performs DNS queries to domains with low reputation 35->53 process4 file5 31 C:\...\MV MLS AMBER SPECIFICATION.exe.log, ASCII 11->31 dropped 33 C:\Users\user\Desktop\PWB.dll, PE32 11->33 dropped 14 MV MLS AMBER SPECIFICATION.exe 11->14         started        process6 signatures7 65 Maps a DLL or memory area into another process 14->65 17 yzuKqvsqs8Yoc.exe 14->17 injected process8 process9 19 unlodctr.exe 13 17->19         started        signatures10 57 Tries to steal Mail credentials (via file / registry access) 19->57 59 Tries to harvest and steal browser information (history, passwords, etc) 19->59 61 Modifies the context of a thread in another process (thread injection) 19->61 63 4 other signatures 19->63 22 Bwt4gkMT.exe 19->22 injected 25 chrome.exe 19->25         started        27 firefox.exe 19->27         started        process11 dnsIp12 41 all.365jia.cn.w.kunluncan.com 180.163.146.111, 49722, 49723, 49725 CHINANET-SH-APChinaTelecomGroupCN China 22->41 43 s3.ueyzqqnhdwf.top 43.226.78.180, 49735, 49736, 49737 CHINANET-LIAONING-DALIAN-MANCHINANETLiaoningprovinceDali China 22->43 45 5 other IPs or domains 22->45 29 WerFault.exe 4 25->29         started        process13
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.49 Win 32 Exe x86
Link:
https://app.malva.re/file/f7d5f89496e796664f747e961241c015
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2026-01-19 01:30:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4t7wfntlaktppcdqgrfqalmdv2adshi4ycywkeef6i7srva7aj5q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260119-c4xnsadt7d/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c423a7ec-43fb-4f0e-8f30-0f381b3dfd73
Unpacked files
SH256 hash:
e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
MD5 hash:
f7d5f89496e796664f747e961241c015
SHA1 hash:
4b5b274aaebde8f6a5d9ddb6ceba7c29c8d0ce6a
Link:
https://www.unpac.me/results/006cc0f2-875d-4c76-91aa-bf8183dce1f0/
SH256 hash:
f615401d5efc42d4beffda04a66562640a02abdeef8f82a788cb1041efc94880
MD5 hash:
946f9bba7c596fb91e59f0d174ac0c58
SHA1 hash:
37b373e410875dc266b266c7fee1ef77a36f1d85
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/006cc0f2-875d-4c76-91aa-bf8183dce1f0/
Parent samples :
b3baa9567f3661525ea666b3c23e427d8550abf4ed4ebc2322121c3616c9cbef
e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
4e104d928c12846758db6ba19844f9fa2482db80fa67c82bb909ebb9e146867a
e64b4314bf8f0471aa3d2db91ad949b3e88e39080524ed613f5a0e1fd29e187b
bfafcc89f89a7e1c6e8767a61b20f1b0875dc6bf5952f012f9c4aac270e3590c
1a87669db3798931f99742c6bc0c40eaa097243f85fbd11af2f524fcbb57bba2
45997dcc03ccfe687fc509e4e688614b059566577e51d70c18b07d250a70e3a0
428d59a68ebf5f9cfdacfab35823e7f4838c53da200072abe7a07c9cb139557d
SH256 hash:
2094497b3f255e8a87c2b757c2d70211bf9d57409352ccb7bfd396d41d332a93
MD5 hash:
cf4b62421ea5b6cc3c2e98c43cab27b3
SHA1 hash:
a35e74869129abb17e42a8670d71d6f75e6258dc
Link:
https://www.unpac.me/results/006cc0f2-875d-4c76-91aa-bf8183dce1f0/
SH256 hash:
a05e02358d986e55e8998af9af6f6ad85fb206e1ba9240c8e7b0c6f3f58f7678
MD5 hash:
850154f8d0dc69e9b99329157fb6585a
SHA1 hash:
ba86b4bda5b2f81c058ca9c27dadfd14c2267d16
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/006cc0f2-875d-4c76-91aa-bf8183dce1f0/
SH256 hash:
6bda6986df86ef3ef0db6d26830619d73be0bcbdca4dad6372179d11e8297c77
MD5 hash:
537d92e449095fdd8e5419ce3b9ce2bb
SHA1 hash:
f1ad1142f726fef2a40a30ed0cca359466c7352f
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/006cc0f2-875d-4c76-91aa-bf8183dce1f0/
Parent samples :
e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b
b0fa29feb4da48f088d9e383d10ad8aef023efa91f6501142bb1f20749fd23d2
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4ff62b66b02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe e4ff62b66b02a6f78870344b002d83ae80391d1cc0b1651085f23f28d41f027b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49289/

Comments