MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e
SHA3-384 hash:	308421ec0a3e6b43d46c96c7982348d09497c48a83d4927d0ddabf56b1cf5c7f2ed16004f1a4172663e6646d49ef7756
SHA1 hash:	fa5ee755e9acec10f383a32c717ab5159585d1e2
MD5 hash:	f350931a8d5c799ebbf7b868feb11b5d
humanhash:	ink-apart-lemon-green
File name:	f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'211'392 bytes
First seen:	2025-07-07 14:49:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:8tb20pkaCqT5TBWgNQ7aVVO1t4AMDnIFe3X6A:lVg5tQ7aVVc4AMDn95
Threatray	2'364 similar samples on MalwareBazaar
TLSH	T10445C01373DE8365C3725273BA267701AEBF782506B5F96B2FD4093DE920122521EA73
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

rl_f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e.exe

Verdict:

No threats detected

Analysis date:

2025-07-07 14:51:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cc1f9f61-1552-4491-a7db-ffd79a1b68e2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/13069/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686bdeb6c9eb974737677240

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/08850fc2-6bd9-4f87-b2ae-5ddad34384f0

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e

Verdict:

Malware

YARA:

7 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/f350931a8d5c799ebbf7b868feb11b5d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e/

Threat name:

Win32.Backdoor.FormBook

Status:

Malicious

First seen:

2025-06-24 10:27:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 36 (80.56%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6df6dbcmn7nmerxziipth6riaujy47mrnsuwxkfftayb4mxw35pa._file

Verdict:

malicious

Label(s):

autoit

Formbook

38e65102a6d8af117d96ba3159ab096d2b95ea8615408667997ce1375c00f35e

Formbook

a553ff1d13ae071438bd4bbea08a59917a5dcb635c80024d7438059158b0d39e

Formbook

a8ba34baa2dd999845323fe9f3c2b1401256ffa0a9b8da69362365d06c6f1049

Formbook

adb3ace893f661c1578e335b5247414f87c554922d47660b223c52b3cdb79649

Formbook

dd3ac840eb842bd93fbbdcfb116d5761afc1a46f75fcf255d370d2602426494f

Formbook

+ 2'354 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250707-r7aqrawvbx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3fdd4fcc-f978-4f37-8dad-4582d3073045

Unpacked files

SH256 hash:

f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e

MD5 hash:

f350931a8d5c799ebbf7b868feb11b5d

SHA1 hash:

fa5ee755e9acec10f383a32c717ab5159585d1e2

Link:

https://www.unpac.me/results/8b7ef293-3b1a-49c3-9ba6-2e864573073f/

SH256 hash:

a6bad80ad23f554fc50e83e1b6632b579f062ab672e4e8bb7de89187b73b7e0a

MD5 hash:

606942609bceed310d012ba71aadfb1d

SHA1 hash:

442aa60f3349c515667c9bd681bcf8f43ea68897

Link:

https://www.unpac.me/results/8b7ef293-3b1a-49c3-9ba6-2e864573073f/

SH256 hash:

d2b3110fe49aa630bba260d3929d7f0774944574faae7c0abe7a2fe0ac52c285

MD5 hash:

f827a3d3509435043944544a6f9cf565

SHA1 hash:

6aff362be33fb9ea5662af6b7975a73b2f35f3d3

Link:

https://www.unpac.me/results/8b7ef293-3b1a-49c3-9ba6-2e864573073f/

SH256 hash:

eb5ec7c6c7494f18b3ebca83fc46d4afaceb808dc7e168bafd416095c455adaa

MD5 hash:

69828050d2384e5313dcd357af19f4f0

SHA1 hash:

e8a33b27693a4722e45b32e95a5dbd76497eab47

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/8b7ef293-3b1a-49c3-9ba6-2e864573073f/

Parent samples :

a8ba34baa2dd999845323fe9f3c2b1401256ffa0a9b8da69362365d06c6f1049
97f4f0e2a55bb2b533b09fee965737fb376e6259365c676d14af04ac8b38e823
a19a20ff981769c85de7f15ff61749efcb04a33581937bd93e10fa63c5ac5ef9
2099f46abaf9c673008c2bfa8f5a3134480257888e22d949255f359812d55f62
f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e
4203dff76c9cd1d76efb99c5043089186f6d93e1292d02b99b9d562178a429f6
a80eaaf645baf8baeb49314e9b979dce7ccc46bca98992aab29416f93acab64d

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f0cbe1844c6fdac246f9421f33fa2805138e7d916ca96ba8a598301e32f6df5e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/13069/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::CopySid ADVAPI32.dll::FreeSid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::GetAce
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoCreateInstanceEx ole32.dll::CoInitializeSecurity ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::mciSendStringW WINMM.dll::timeGetTime WINMM.dll::waveOutSetVolume
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AddAce ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::DuplicateTokenEx ADVAPI32.dll::GetAclInformation ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW SHELL32.dll::ShellExecuteW SHELL32.dll::SHFileOperationW
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::CreateProcessAsUserW KERNEL32.dll::CreateProcessW ADVAPI32.dll::CreateProcessWithLogonW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken ADVAPI32.dll::OpenThreadToken
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateHardLinkW IPHLPAPI.DLL::IcmpCreateFile KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LogonUserW ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_API	Supports Windows Networking	MPR.dll::WNetAddConnection2W MPR.dll::WNetUseConnectionW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegConnectRegistryW ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_USER_API	Performs GUI Actions	USER32.dll::BlockInput USER32.dll::CloseDesktop USER32.dll::CreateMenu USER32.dll::EmptyClipboard USER32.dll::FindWindowExW USER32.dll::FindWindowW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample