MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
SHA3-384 hash: 1aab818860ff1bc1de5312829bf38b7a2587f7c13939c81200ab8053cdd3e944a670cb865b8e8c785d1fbf4034074d6a
SHA1 hash: e355af70854c7c5a512ba8601f240d03c13c87af
MD5 hash: 70bade2736037c109c7ead9a760ca870
humanhash: ack-october-skylark-autumn
File name:Sales Contract 03092026.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'142'784 bytes
First seen:2026-03-09 09:35:03 UTC
Last seen:2026-03-09 10:31:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'844 x AgentTesla, 19'775 x Formbook, 12'297 x SnakeKeylogger)
ssdeep 24576:/FqIgmJI5aOn6QAErbjjaIxm5xTjb8UR96IsH5fIYiEgqrg37ca:QUFEfHaIuXb8y9EZfInI47
Threatray 2'743 similar samples on MalwareBazaar
TLSH T1D735121C615DC407C9AA573659B0F3B417BD1EDEA911C3224FEC6CBBBE32B925809386
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/1b70c7ed-1b1a-4463-b2fd-a189d4e73ee2/
Malware family:
n/a
ID:
1
File name:
Sales Contract 03092026.exe
Verdict:
No threats detected
Analysis date:
2026-03-09 09:36:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b239b4ad-302b-405e-9a54-da2c4069d92a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/56761/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.25827215.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ae945ce5dc8e2b2c317152
Tags:
stration shell micro
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt packed vbnet
Link:
https://www.filescan.io/uploads/69ae945a91ad9169e5380257/reports/08f7a682-0061-4c58-86fd-b0e9a361026f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
Verdict:
Malicious
File Type:
exe x32
Detections:
Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Crypt.gen Backdoor.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5a4513a0-9a40-4a26-ac40-7d88214ce2a7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1880448
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1880448 Sample: Sales Contract 03092026.exe Startdate: 09/03/2026 Architecture: WINDOWS Score: 100 38 www.eralo.xyz 2->38 40 www.younow.com 2->40 42 23 other IPs or domains 2->42 50 Antivirus detection for URL or domain 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 58 7 other signatures 2->58 11 Sales Contract 03092026.exe 4 2->11         started        signatures3 56 Performs DNS queries to domains with low reputation 38->56 process4 file5 36 C:\Users\...\Sales Contract 03092026.exe.log, ASCII 11->36 dropped 68 Adds a directory exclusion to Windows Defender 11->68 70 Injects a PE file into a foreign processes 11->70 15 Sales Contract 03092026.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 72 Maps a DLL or memory area into another process 15->72 20 4cbUEnOun.exe 15->20 injected 74 Loading BitLocker PowerShell Module 18->74 22 conhost.exe 18->22         started        process9 process10 24 recover.exe 13 20->24         started        signatures11 60 Tries to steal Mail credentials (via file / registry access) 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 64 Modifies the context of a thread in another process (thread injection) 24->64 66 4 other signatures 24->66 27 Q6mFabA83G.exe 24->27 injected 30 chrome.exe 24->30         started        32 firefox.exe 24->32         started        process12 dnsIp13 44 www.eralo.xyz 159.198.74.151, 49755, 49756, 49757 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT United States 27->44 46 www.tungstenammo.com 156.224.45.155, 49735, 49736, 49737 VPSQUANUS Seychelles 27->46 48 13 other IPs or domains 27->48 34 WerFault.exe 4 30->34         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
Threat name:
ByteCode-MSIL.Trojan.Fuery
Create hunting rule
Status:
Malicious
First seen:
2026-03-09 07:59:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=57iazom35ghhmfkgylbwftk5afic7mbw3pvwiz47w7kb5di5uhoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
049d02bca5fcfb5cc8f429493bd150a2363cfafc940a51fb60af9c298946cafa
Formbook
3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
Formbook
61faeb3857dc422b26292ff17b24a2ed3cb18415f8c0a6f64a707c51a0a9c147
Formbook
6b15d702539c47fd54a63bda4d309e06d3c0b92d150f61c0b8b65eae787680be
Formbook
85cffbf528025f8a8af7935e9e1ef285a9da23cb8f454b78143ab2960d339a15
Formbook
b32d05c6d0606ae99980ac52e9acbae681e7c35936abca1aa7bbc66bc25bb0e5
Formbook
c516363e147f458e1806ace3348ded638bfdeef92c663a2478940e45b95cb911
Formbook
d93a5d602961d1d23e77b613866be9056abe8f5c833776a20a2635fbbad772d8
Formbook
efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
Formbook
error
Formbook
f4160d848ce8fc3d06604dbed868251d960839dc351673a5aec208ba48ebfc7e
Formbook
+ 2'733 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260309-lkg9esc16q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
MD5 hash:
70bade2736037c109c7ead9a760ca870
SHA1 hash:
e355af70854c7c5a512ba8601f240d03c13c87af
Link:
https://www.unpac.me/results/3f1bae53-7618-4cac-ae9e-324e311e51ce/
SH256 hash:
1d505ea8bbeba5f8dafdba977e3798970abec0ded018eca8c8c1d71a510d5b36
MD5 hash:
15185513dcfc65611ee21ddee6d3b94d
SHA1 hash:
76f1da946c7257494d9c81ae3691b4c14063afcd
Link:
https://www.unpac.me/results/3f1bae53-7618-4cac-ae9e-324e311e51ce/
SH256 hash:
0de7d8bacc86ddc152297f3b49d5e27632006c02266354d95791cbc5a299c74d
MD5 hash:
625b1f197c864f45c88297a1b41eca27
SHA1 hash:
a3b95af0dc52e44f0c683ce02563dceed9a85948
Link:
https://www.unpac.me/results/3f1bae53-7618-4cac-ae9e-324e311e51ce/
SH256 hash:
73519af9dfee5514bc7410d9320a07bfa049d3b260ebc85e63c2483dbd1f840c
MD5 hash:
6731fd94549e21ab31ffdf3ae171e5e4
SHA1 hash:
fb6d4322185aebbd864f92d6af21d7b92c36c0e0
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/3f1bae53-7618-4cac-ae9e-324e311e51ce/
SH256 hash:
6f508c40d5e0dfd2ba6e0d69fc72ea940dd4f55f443023625678f343603a82ae
MD5 hash:
9f4a36a2e948571dc5deac5a8a8b4946
SHA1 hash:
a91457cb56299f4eba50c74e2b598e93bc3f720e
Link:
https://www.unpac.me/results/3f1bae53-7618-4cac-ae9e-324e311e51ce/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/efd00cb99be9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/56761/

Comments