MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16
SHA3-384 hash: 59005ef22bd1e5c2fbe59d3ed2cdee544c5a9751943bdaa65263beaade1ab0f0828048f41ab496380312902bff67b234
SHA1 hash: f86c35a13d9e871ed43533d679388a323c45da98
MD5 hash: 97637eb56d815189da89c4a3807baea8
humanhash: four-summer-batman-twenty
File name:PO_#86637.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'342'464 bytes
First seen:2026-05-21 14:52:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 279daa640d9140f9842860a738abd363 (40 x Formbook, 8 x AgentTesla, 2 x CastleLoader)
ssdeep 24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8a113HDXS2StVkghRp2VI9:ETvC/MTQYxsWR7a1NDCJVhRp2V
Threatray 2'835 similar samples on MalwareBazaar
TLSH T16B55C00273C1C062FF9B92734F5AE65157BC79260123A62F13A81D7ABE701B1563E7A3
TrID 29.5% (.EXE) Win64 Executable (generic) (6522/11/2)
22.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'697 x Formbook, 1'203 x CredentialFlusher, 928 x AgentTesla)
Reporter TomU
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/38c9e0ee-c646-4f0c-8d0d-f6f6450cdc48/
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67427/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0f17d798070a72bb9c6875
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16
Verdict:
Malicious
File Type:
exe x32
First seen:
2024-09-09T05:21:00Z UTC
Last seen:
2026-05-16T10:02:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/badcfd1d-f684-4964-8c88-de88c34b1dcb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1508267
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-09-09 09:51:53 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
27 of 36 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6k7j4bx77ezkyriqdifsrmdtph5nrodinf5sxwk26fa2agx2l4la._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1124e6890aa9e5a314157ca65013a915a29af69c98aa315aa1edbbb2a5ad8eb8
Formbook
34cdc9dbeed25021f6a572352cc75a2c6b4fa6c273b89b55219e83f6c2466992
Formbook
64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56
Formbook
9edae2a8ff98921959db5b0838fbb3aecf892f701061ad93c489d78ca1ef71ba
Formbook
a47d17dc57da8ad544a45871fc79ad1201c46ccbe7189b69c6531219a9364716
Formbook
ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
Formbook
bb48191adb71c355f5695de90d2bfcf01926169809a36aa14082470dc90265ba
Formbook
error
Formbook
f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16
Formbook
+ 2'825 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260521-r9jrfaaw7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16
MD5 hash:
97637eb56d815189da89c4a3807baea8
SHA1 hash:
f86c35a13d9e871ed43533d679388a323c45da98
Link:
https://www.unpac.me/results/4c35c7b5-8dea-4c92-a69b-f2c12a19d071/
SH256 hash:
5e54ee037ffcb89f68711d221e8e0712697a77772500be4aa7e3ab619627c65c
MD5 hash:
f2003d56f6a580dcfa28cae9df8bcf38
SHA1 hash:
f4583f7d0ef26548734ee2c4bce7ad616becf58f
Link:
https://www.unpac.me/results/4c35c7b5-8dea-4c92-a69b-f2c12a19d071/
SH256 hash:
43b84f6ef027228a04e417b14ff683b61ca2e5ae6b494c8a47c51c2210799254
MD5 hash:
c32c1cce7878ddbc4988e2493ec8251d
SHA1 hash:
0d1d344f8d6200b1eaab52d715bc9cf32b9f2850
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
triage_formbook
Create hunting rule
Link:
https://www.unpac.me/results/4c35c7b5-8dea-4c92-a69b-f2c12a19d071/
Parent samples :
14eff9206677e4d8b2ff0ba356e046aeabbccef08086ac1f1d0686be85dc0689
a47d17dc57da8ad544a45871fc79ad1201c46ccbe7189b69c6531219a9364716
ae2f77ad311caf919d2c2ed85c691d9906185b06b01d153d49bfa8ddb132ee3d
1124e6890aa9e5a314157ca65013a915a29af69c98aa315aa1edbbb2a5ad8eb8
1f0138f02c1d1be1f9a575ffc912f443a51904558e6687af49f971ccba9711b5
63d9db1d6ad43b29d1dc245eead5fea3cf85ab49815984bb531f74d80bf0d4e6
9edae2a8ff98921959db5b0838fbb3aecf892f701061ad93c489d78ca1ef71ba
ac32edc4349871fa356f2bd55ce445b89f20b25f6792596fcf134cba4163585e
8c7ecd6f1bb4a8dabae53a4c6d5e936c1335bda20cc5e850434fc9b022289864
1872f51b5d3913490f3936ab41a7388212d4c10e389eb211bc448029380891ce
34cdc9dbeed25021f6a572352cc75a2c6b4fa6c273b89b55219e83f6c2466992
502812cc0e25d2c5e3053cb724b38407b6ba9e2ef6c0631d89879602365fd2a8
ec4594c01b27748273f47aeefc3fc2f3bc67af0b55a72ccd129936bfb0b715b1
64cccb8039b0fa277f21e1dccbeec520d08d2606dac35912b147372c03e53f56
f5d173e1e89e02211fa67806e20fcf4fb9c7dcd656929ffad54840454bae58a9
bb48191adb71c355f5695de90d2bfcf01926169809a36aa14082470dc90265ba
f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Create hunting rule
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f2be9e06fff932ac45101a0b28b07379fad8b868697b2bd95af141a01afa5f16

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67427/

Comments