MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
SHA3-384 hash: b3d4c026338038b71e77870a1ddc9baf5244688cd94cc859b5f7f8df4983d603cf62c2238f7d8b14ed0a2f6fbd64a7ee
SHA1 hash: 6a98cdfbc5924b3d7cbb148c6960553b8c3fcec9
MD5 hash: 156036b4735c0cb89fd25df6aad9689b
humanhash: carpet-robert-zebra-timing
File name:f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
Download: download sample
Signature Formbook
Create hunting rule
File size:1'221'632 bytes
First seen:2026-02-05 15:52:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 279daa640d9140f9842860a738abd363 (23 x Formbook, 2 x CastleLoader, 1 x RemcosRAT)
ssdeep 24576:yqDEvCTbMWu7rQYlBQcBiT6rprG8axV31UAP2CUPPFLeUVG:yTvC/MTQYxsWR7axfp2CUXJeU
Threatray 2'381 similar samples on MalwareBazaar
TLSH T19145B0027391C062FF9B92334F5AF6515BBC69260123E62F13A81DB9BD701B1563E7A3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/86a8b4cb-1df7-4ad3-ac42-c3666368c805/
Malware family:
n/a
ID:
1
File name:
f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
Verdict:
No threats detected
Analysis date:
2026-02-05 23:22:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/758bf6b7-23d4-4ca7-a8b6-8c2a18de910c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/52245/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6984bd19ae5379bb6609cc65
Tags:
autoit emotet
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-26T21:08:00Z UTC
Last seen:
2026-02-05T16:11:00Z UTC
Hits:
~10000
Link:
https://opentip.kaspersky.com/f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3add775b-f18b-4d98-92f8-118f843f6d9e
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-01-27 02:50:19 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cbhagovocwtcsuz3vuvscymqnrzyyfr3swhpvyizvwuswjyg5lq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
025b8d79911d3b0384ee29386388a7b9815024baffacacab86c3f253ce89a9e5
Formbook
0faf94a24b00a7dca3cb0e26b29b0c3f72f66e2f968d997ad45e74620efeb11b
Formbook
26d6053c28e6d07e8be6f160fab2334b8339f23cafe1b35e524e1add0acee6b4
Formbook
2d2b6e4497e44239a28593031b18ba3a9550fe322f39ce87d0a3995b1b33086f
Formbook
8c36017fb562623b423d65c040cf67365367a8b271f375b91e69b4c942cd09da
Formbook
a78f964b862aa2d6dde0214a1bd10fe4276ed478dfaed2e84fb9e71d3b1bc712
Formbook
b3519529f6d34d7fa3108901fe68b12f4577de4e610433e1ae733666fd8f1126
Formbook
cef704d7865892c9752273badf9c9cc765448e69610a161b1e61f30239d730a4
Formbook
d5524fe820bb5053c55848f1b832179009569460a9879337458502b4c10c8195
Formbook
dae94dd36a738eb6419a87daf1fc57bf0b7726bca3e5c7b05d39df9b88a916d9
Formbook
error
Formbook
+ 2'371 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260205-tbtj4acs5c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
a4ca094aa690f859da8d18d36667710fa8ac3017cf4c43e68fede781714f05ed
MD5 hash:
6c26040cb74418363d98c2a098d32b93
SHA1 hash:
8657ac9ed7c16c39dabc4d8bf0df6793752f002e
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/c56fd329-785a-4c82-ab4e-e15950f44633/
Parent samples :
dae94dd36a738eb6419a87daf1fc57bf0b7726bca3e5c7b05d39df9b88a916d9
f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
SH256 hash:
070a26c91c66ea4fc1323a4473822ba238816f741bd2d5af7d51f203f2fe0994
MD5 hash:
4095eb5861d6cc457bc9ec59d6a51c69
SHA1 hash:
e6c2e1d09807213d34617477f98dd886d4fca465
Link:
https://www.unpac.me/results/c56fd329-785a-4c82-ab4e-e15950f44633/
SH256 hash:
f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
MD5 hash:
156036b4735c0cb89fd25df6aad9689b
SHA1 hash:
6a98cdfbc5924b3d7cbb148c6960553b8c3fcec9
Link:
https://www.unpac.me/results/c56fd329-785a-4c82-ab4e-e15950f44633/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/52245/

Comments