MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
SHA3-384 hash: 4e761bba3412ce125183ffa4d6c6ae20531d5bb349c943353eed8a848046babe5d98c77777036b103a81ba5eaf187452
SHA1 hash: 1df40e535cd00db0cb356c65d67fab8f9369fc29
MD5 hash: 1aefcbbc1ea725bd40e7dbcb62d53b79
humanhash: coffee-alpha-twelve-earth
File name:STATEMENT OF ACCOUNT.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:718'336 bytes
First seen:2025-12-05 14:43:59 UTC
Last seen:2025-12-05 14:46:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 21371b611d91188d602926b15db6bd48 (73 x Formbook, 60 x AgentTesla, 21 x RemcosRAT)
ssdeep 12288:Qz7hU5I5yuNHIgzSFKxWltRohBfSTso93Uq2FmEEnNJ5f+sEO5Vsakasvnoi9Kvv:Qf+iN57Gtene3tkmNJ1+sFtwPo2fpu
Threatray 2'239 similar samples on MalwareBazaar
TLSH T113E42385AD92A050D1B4B330C836CC948E393A729D19773F9339E25BACB1393D96778D
TrID 39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6)
38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter cocaman
Tags:exe FormBook INVOICE

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
AutoIt PEPacker
Details
AutoIt
extracted scripts and files
PEPacker
a UPX version number and an unpacked binary
Link:
https://research.acce.ciphertechsolutions.com/results/c6d639e7-7b2d-4657-9281-1c6466d1bd34/
Malware family:
n/a
ID:
1
File name:
STATEMENT OF ACCOUNT.exe
Verdict:
Malicious activity
Analysis date:
2025-12-05 14:46:30 UTC
Tags:
auto-startup
Link:
https://app.any.run/tasks/38c66d81-254d-4daa-bb26-6451ca01a0ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/42661/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6932efc12b2823e41e74926a
Tags:
autorun autoit
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit compiled-script masquerade microsoft_visual_cc packed packed packed upx
Link:
https://www.filescan.io/uploads/6932efc1bc15eab491f54e77/reports/839ce491-e163-4300-a18f-acfa4bd1ac93/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-04T21:52:00Z UTC
Last seen:
2025-12-07T05:38:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Auzenpak.sb VHO:Trojan.Win32.AutoItScript.gen Trojan-Dropper.Win32.Dorifel.sbd Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Zenpak.sb Trojan.Win32.Strab.sb VHO:Trojan-Spy.Win32.Noon.bopo Trojan-Spy.Win32.Noon.bopm Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/455ddf77-1eb0-453b-bb80-1d8466d603b4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1827303
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1827303 Sample: STATEMENT OF ACCOUNT.exe Startdate: 05/12/2025 Architecture: WINDOWS Score: 100 47 wyw.pt.cdn-dysxb.com 2->47 49 www.walkheaven.com 2->49 51 21 other IPs or domains 2->51 59 Suricata IDS alerts for network traffic 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 65 8 other signatures 2->65 12 STATEMENT OF ACCOUNT.exe 6 2->12         started        16 wscript.exe 1 2->16         started        signatures3 process4 file5 45 C:\Users\user\AppData\...\deblaterate.exe, PE32 12->45 dropped 83 Binary is likely a compiled AutoIt script file 12->83 18 deblaterate.exe 3 12->18         started        85 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->85 22 deblaterate.exe 2 16->22         started        signatures6 process7 file8 43 C:\Users\user\AppData\...\deblaterate.vbs, data 18->43 dropped 67 Antivirus detection for dropped file 18->67 69 Multi AV Scanner detection for dropped file 18->69 71 Binary is likely a compiled AutoIt script file 18->71 77 2 other signatures 18->77 24 svchost.exe 18->24         started        73 Writes to foreign memory regions 22->73 75 Maps a DLL or memory area into another process 22->75 27 svchost.exe 22->27         started        signatures9 process10 signatures11 79 Maps a DLL or memory area into another process 24->79 81 Unusual module load detection (module proxying) 24->81 29 GecX6ZjPDgqlz.exe 24->29 injected process12 process13 31 fsutil.exe 13 29->31         started        signatures14 87 Tries to steal Mail credentials (via file / registry access) 31->87 89 Tries to harvest and steal browser information (history, passwords, etc) 31->89 91 Modifies the context of a thread in another process (thread injection) 31->91 93 4 other signatures 31->93 34 QSz12fysX69MJ.exe 31->34 injected 37 chrome.exe 31->37         started        39 firefox.exe 31->39         started        process15 dnsIp16 53 tisvbz.114dodcqczey.com 156.247.39.136, 49726, 49727, 49728 PEGTECHINCUS Seychelles 34->53 55 i-v-c.ca 149.56.225.6, 49698, 49699, 49700 OVHFR Canada 34->55 57 12 other IPs or domains 34->57 41 WerFault.exe 4 37->41         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
Verdict:
Malware
YARA:
5 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/1aefcbbc1ea725bd40e7dbcb62d53b79
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-12-05 02:33:06 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ytamhdeggqbriaop5f7fgie6hkp5h7asos74764zienbkxk2vwa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04192a8beaa2f78a1c4ab5764134930e49fe58b202f7ea99a2421809a12acee2
Formbook
061e7c16799ad41c3ca701ec1f4d06c7ad0c1c44e4c9bf4a57fd6eddb2ffa923
Formbook
1336a81d27c381bfaefd7d763b6c93d593f9c181fe97522b8248d520c6b0e2ff
Formbook
44d76c2813cbcbbc38602cf85005884c492f6eb76fbdac3e8279633d75fc5a0d
Formbook
a0f03b781a6132d96dd86b61922cb734aa80b135d2e1551d45496117eb7d1b65
Formbook
a3701fb120b8bf03636784197b6584ed43b3a18215b27b4c8d85b0ee5f415bf7
Formbook
af9e19b850ac8564ed2282c50b626f7e2baeb77dcd86a5936d09eb3248cee161
Formbook
cf7b3427dd7cb3cd41edafb409f7ad0649735e69311db73ec1546c7b25b37e58
Formbook
error
Formbook
+ 2'229 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan upx
Link:
https://tria.ge/reports/251205-r39paahs7h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Drops startup file
Executes dropped EXE
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e93dabb5-5fb4-4e21-b56b-cd9015821e93
Unpacked files
SH256 hash:
0c30581580c3aecb09b589b19143a6c26cb9b9afe441fb08dcb51adfb9a9b962
MD5 hash:
2172199c65066d3844b491fab969a966
SHA1 hash:
855dd31aaa15c0c4fa32876555e983d3efbf6a1d
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
SH256 hash:
cef9f72da6619096aa9762de21fb15abdf27105845a94db8b93401a91b9bf9b2
MD5 hash:
96b5b84e158ec9afbfa9f1dcf250c03d
SHA1 hash:
29cc6153a7df53ab65366775083608b8f953b9c7
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
SH256 hash:
f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
MD5 hash:
1aefcbbc1ea725bd40e7dbcb62d53b79
SHA1 hash:
1df40e535cd00db0cb356c65d67fab8f9369fc29
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
SH256 hash:
74455158d87351b63de9ebba14f008db534ee103cd219f92e20a522800062bd2
MD5 hash:
298e7851d09161da1210286bece1fb3d
SHA1 hash:
8ea076b2fda4d649c44382db507ee66ab5e3a7e0
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
SH256 hash:
ddcb4b5d5ab15cda214912eeb2b5d5cf03f1643d3b960f93fb06524fafe139ef
MD5 hash:
fae2441987387a397bb4c88cff508589
SHA1 hash:
6af1d4de6e964c93a1d938ba6b026460a1a16d0a
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
SH256 hash:
bca978330944842a1e41f96c687c7abb17c7e2c2dead97b32b0fe93350ab6ae4
MD5 hash:
f8a94a2ec81a38282cb918e98d5e6e8c
SHA1 hash:
a98a76b025575087d6a71b4c0f3ed4f12ec97be0
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
SH256 hash:
cf7d5f0d04da86a44901e988105faf4bed4d1e78a894d0a2a175ec8a21d0d7bc
MD5 hash:
f490fc45ede9b2d5f69b5d4b9b5cafb0
SHA1 hash:
411bd1ab0c940c519c8f3cecf6521c98d2e21cf1
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
Parent samples :
f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
b103eafb63925e5c6c7104d234873c0213def2cbf50f6b1566026694311b4902
2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130
e80c725e5944992a8fc9fee172ff5dad5863a60ff23bb929eee63eca0ad6a5c3
c478dba070eef873b89b19170d8a683188f82222f30385f55faef68a8725339b
986de4285a1b205a94670b37918398ea6b02ca39ad15dcda471ffab9a9273548
7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3
9b6a347c4a3da1ba88d2b5a4d1cb0c8182da7aa5dc36526496d7cd9ec98607b4
SH256 hash:
9289b85e7c669664918f24b98aceb297c25f52046773bd30165446f117dc90a7
MD5 hash:
0a12946366af66034b553c2cc0f41dd9
SHA1 hash:
4158d5a07b6bcdb44f0e858242878e48d6b884d1
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/db869ae5-0b3b-4f7e-9e79-d6e93825fcb1/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f626061c6431/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

zip 7bef7a5db544eac582182aad26bc337e2e4afda9d1995e3b4e45f7371b719be1

Formbook

Executable exe f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 7bef7a5db544eac582182aad26bc337e2e4afda9d1995e3b4e45f7371b719be1
Cape
Cape
https://www.capesandbox.com/analysis/42661/
  
Dropped by
MD5 56774abdefab4b633f2fa794c4bcf072

Comments