MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9
SHA3-384 hash: 8b2337f5235a94d59bf6d4f182d16351c7c5893d7bc146893714c19f4bc2cb063ecf83ad44f73d2c175cc388bd923862
SHA1 hash: 60155bce131fd25e5cddc70230265ca35bf9f0e4
MD5 hash: 70325cb4ef12044db3c9285a75a940ae
humanhash: romeo-lemon-item-march
File name:krOtNXYJPHUwWYe.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:733'184 bytes
First seen:2025-10-29 09:38:02 UTC
Last seen:2025-10-29 09:38:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:h5XwctGTvmRqfb7CR1M7wkmqzbBED9DyuAW61u4Vtk2/MJD6d6KCI4Bjmq:LQjmRqzs1spzCtyuA/1u4Vd/MFvrm
Threatray 477 similar samples on MalwareBazaar
TLSH T1E4F412056386DA01C7AA5BF42EB2F5B443B57DACD420E31A9ED56EEB35B1F004E48B13
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe FormBook QUOTATION scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
krOtNXYJPHUwWYe.scr
Verdict:
No threats detected
Analysis date:
2025-10-29 09:39:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ae42e2e8-2dd5-42d2-8b0f-7636ae397149

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34590/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6901e09b706befaf4ec9ecb2
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bitmap masquerade packed packed stego vbnet
Link:
https://www.filescan.io/uploads/6901e0a0b33c704cbf948f1a/reports/c1d76f54-8a57-45df-a4be-853fa0b619ad/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-29T03:23:00Z UTC
Last seen:
2025-10-31T03:46:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.MSIL.DarkCloud.gen Trojan.MSIL.Taskun.sb UDS:DangerousObject.Multi.Generic Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bc0e8251-349a-489d-b026-415a6e46e67c
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1803762
Signature
.NET source code contains potential unpacker
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.53 Win 32 Exe x86
Link:
https://app.malva.re/file/70325cb4ef12044db3c9285a75a940ae
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9
Threat name:
Win32.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-10-29 09:38:39 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=64qwpfarfwptvijlkywti76abwat7ikyiwy3i32gqq5gscjwss4q._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
53864e83655e52a17e3a9d3e588193218299055f930b470c134e606138426ca5
Formbook
7d4341732ef5442ec456c78b82b92912cec787d884b8ec97d620358a341c7478
Formbook
883ae3955a129045c7e3043cf13a743db9d5d3a2e12b30d6563898861a00cb06
Formbook
d076158f2f53f5d2b109631721820941ebbc4c7fbbb9b480e48e6b38235ecc44
Formbook
error
Formbook
fa3214688079a8dae069fc05ff4f142417c15c0c4a949d0fd6640181c701a286
Formbook
+ 467 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251029-lmb57afp6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fe61b569-4862-499b-8267-6af08e74dc77
Unpacked files
SH256 hash:
fc9b76a9b73be2fd1fa77829ebcab4c8bb8a4dc67875b825861e20c42a57c0ea
MD5 hash:
dd2e0d77a5598fb1fdeb54f4739aba56
SHA1 hash:
232fb37569493beaba4b0a83b674cd722ec85765
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c9d83159-3703-442f-9251-5590854fa6c6/
SH256 hash:
7862cc185fadb5c8dd1398d04eb3a5941ac9a0d4ee5515f831e018793867c54d
MD5 hash:
5a6b8624387142d994f50adfc634eeee
SHA1 hash:
9d09179ea15435ed1df0fac398c362fd574a5267
Link:
https://www.unpac.me/results/c9d83159-3703-442f-9251-5590854fa6c6/
SH256 hash:
81c878e71a82aa8f4175648d188a1f75acf99cd0b02ef0f48e814fb4f44f0fc0
MD5 hash:
2c401550efe4777b67fa67fb7cecdfbc
SHA1 hash:
e5515434b9685499ad38499f4b59ed8c017b88b4
Link:
https://www.unpac.me/results/c9d83159-3703-442f-9251-5590854fa6c6/
SH256 hash:
d7b0ef630cace3edd028e91f7b4a04fc6b225fe64b1e8e1584537b1280e2e2e9
MD5 hash:
b8d6f2e92f5aec5a2fa30ec9a653c450
SHA1 hash:
92db211a002cc2ec998cc32a1a735fe2d29ee9c8
Link:
https://www.unpac.me/results/c9d83159-3703-442f-9251-5590854fa6c6/
SH256 hash:
f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9
MD5 hash:
70325cb4ef12044db3c9285a75a940ae
SHA1 hash:
60155bce131fd25e5cddc70230265ca35bf9f0e4
Link:
https://www.unpac.me/results/c9d83159-3703-442f-9251-5590854fa6c6/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f7216794112d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

4cd3d5b51a6d550346dae03c0bed9640cba47a3d31cae864eb868c807664439f

Formbook

Executable exe f7216794112d9f3aa12b562d347fc00d813fa15845b1b46f46843a69093694b9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 4cd3d5b51a6d550346dae03c0bed9640cba47a3d31cae864eb868c807664439f
Cape
Cape
https://www.capesandbox.com/analysis/34590/

Comments