MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
SHA3-384 hash: f3a53fb7cb1b2211f1e19ed23ff92d8b4531051b9dc7a612c559b2e530ef6354c271f44ec2c3307ef60b576e3aa41ba9
SHA1 hash: 1059aa88065d26c30416efd0498d49f5b59887be
MD5 hash: 9c42bed03ed757e70b985a0c6dd51390
humanhash: video-nitrogen-helium-violet
File name:PO 5465TYYU625.xlsx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:773'640 bytes
First seen:2025-10-20 08:44:09 UTC
Last seen:2025-11-06 10:54:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:4Q3L/rb8WkKV+97fQiKUoHCn/pKX2VydUfiBOHaaAWCYeMK4TGNYqLicCEPAjTBy:J7v+Q+7NK7qpy2VyqaBOHaaA5QK4TedZ
Threatray 2'116 similar samples on MalwareBazaar
TLSH T131F4125A2B4EDD02D4D51F7019A1E3B62730CF49E914C2278FEDBCDFB8A4B122969391
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
100
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 5465TYYU625.xlsx.exe
Verdict:
Malicious activity
Analysis date:
2025-10-20 08:45:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f450b339-946d-4859-a709-6d5d6507a8a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33392/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f5f664c949ca4fcbe399bb
Tags:
agenttesla underscore
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap expired-cert invalid-signature lolbin masquerade msbuild obfuscated packed packed phishing reconnaissance redcap regsvcs rezer0 roboski schtasks signed stego vbc vbnet zero
Link:
https://www.filescan.io/uploads/68f5f66e11ff3db29f64475b/reports/2ec9f685-bfb7-4bcf-978f-7d66c5ee464a/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-20T00:27:00Z UTC
Last seen:
2025-10-22T06:27:00Z UTC
Hits:
~1000
Detections:
Trojan-PSW.Win32.Stealer.sb PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb VHO:Backdoor.Win32.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest Trojan.MSIL.Taskun.sb
Link:
https://opentip.kaspersky.com/f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/18eeb9f6-adb2-4355-bd48-147903438b10
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798152
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Double Extension File Execution
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1798152 Sample: PO 5465TYYU625.xlsx.exe Startdate: 20/10/2025 Architecture: WINDOWS Score: 100 36 www.youcontributions.xyz 2->36 38 www.ulke.com.tr 2->38 40 3 other IPs or domains 2->40 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected FormBook 2->56 58 Yara detected AntiVM3 2->58 62 7 other signatures 2->62 10 PO 5465TYYU625.xlsx.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 60 Performs DNS queries to domains with low reputation 36->60 process4 dnsIp5 34 C:\Users\user\...\PO 5465TYYU625.xlsx.exe.log, ASCII 10->34 dropped 72 Adds a directory exclusion to Windows Defender 10->72 74 Injects a PE file into a foreign processes 10->74 17 PO 5465TYYU625.xlsx.exe 10->17         started        20 powershell.exe 23 10->20         started        48 127.0.0.1 unknown unknown 14->48 file6 signatures7 process8 signatures9 50 Maps a DLL or memory area into another process 17->50 22 uoRzAlWRCWb2c.exe 17->22 injected 52 Loading BitLocker PowerShell Module 20->52 24 conhost.exe 20->24         started        process10 process11 26 mstsc.exe 13 22->26         started        signatures12 64 Tries to steal Mail credentials (via file / registry access) 26->64 66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 68 Modifies the context of a thread in another process (thread injection) 26->68 70 3 other signatures 26->70 29 4Jz9eGpmtDReT.exe 26->29 injected 32 firefox.exe 26->32         started        process13 dnsIp14 42 www.youcontributions.xyz 13.248.169.48, 49704, 80 AMAZON-02US United States 29->42 44 www.ulke.com.tr 185.195.231.66, 80 VARGONENTR Turkey 29->44 46 gooder.bar 3.33.130.190, 80 AMAZONEXPANSIONGB United States 29->46
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.22 Win 32 Exe x86
Link:
https://app.malva.re/file/9c42bed03ed757e70b985a0c6dd51390
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 03:58:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gjgw575i7p7yzxg6ixe5tknb4nrwpslo2agjozcwzf6gckfnh3a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
3a2ba2930632a0a60f6c74b40be24d474cf84c174d921bd8bab8903d59f01835
Formbook
4123bedccc18eee83aa4c7d8e1b64191ddde5fc234bd3c1cbd7f998571e47112
Formbook
a4e1ceb8458e0bca4119adb33ded5b1ef154f0ba69594b2079fbbcfb48cbe4ce
Formbook
aaa5b20a90d1f1755d39e6e228f8d4a4060d9da1451d9dd54a6e85fa2dd9ceef
Formbook
bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
Formbook
error
Formbook
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
Formbook
+ 2'106 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook defense_evasion discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251020-knbqdae17e/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
MD5 hash:
9c42bed03ed757e70b985a0c6dd51390
SHA1 hash:
1059aa88065d26c30416efd0498d49f5b59887be
Link:
https://www.unpac.me/results/7ef78f19-a750-4cd8-bff8-479eb70e2bdb/
SH256 hash:
029fea89a5864126367f7869baddfb97dd722de0af295f3d03e827fb4ad09ca6
MD5 hash:
c4d792714df449598295023ee27bb5ec
SHA1 hash:
5d05fc5a92a5d556b8ad1a585f5768b3338606df
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7ef78f19-a750-4cd8-bff8-479eb70e2bdb/
SH256 hash:
c0418cf8a7952e204acfc87dc155fcceb5a486ead59260f2303dba78db496a31
MD5 hash:
bc82a9e341e9ede14ac25f6a8aa82e56
SHA1 hash:
63020718b421fbb439f2600961ede97d704130ee
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/7ef78f19-a750-4cd8-bff8-479eb70e2bdb/
Parent samples :
89c911723b05c5bce8bcd4dd0ec42f190763afc166e85e0fde944e2e752223c8
f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6
8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd
bdb77fb15a71d15824003e2baca520124dab19ec99a1cd90e12769be216e1541
d9be66d734fe5c34f17805e4c54fc22862108dc83120fd30ea27679a0b32b442
8ddf7f818b62b95ca4b60a5177dfe46d00684f3f2b14998b8419f29e081186e7
e80ff6956ffb3e3189596fe42c13b03efb70c023bb9db2f83db9d91ec04a157c
f49d6efeab5a163ccaff6d8166c0be80e8430d50b4ba7c43df903dbb05bb7bfa
d87de6be63c49499dfe482bfdafbdca13760efb66c2d8af6950919f01f52608c
2c2b051b1f3085754054173c5afc5675b0bd9f2940f7ac81714f8b2d08faa63b
2acbd38d75a998bc663dc7f1ba6ccccf87d9724557b52b2966250cba1c70286b
dbecf6e2bad4b37d6d724a33c84bd1826dbd4f6eb0c490ef152b261c67edc751
ef191e2d10681d7e07d403c5a0f5c595fb55c54c9a66ddd6cabdb7af0d6f65b2
83ac2145013dfaebbf27d69340996ccc9ccbd9e609dce2b7be58c10f32b29a9b
SH256 hash:
eabe1822e74df66451abd6e69c33d1f98b8ae6ede8d3a3d6d3e38503406dbce5
MD5 hash:
f4070f6b3e7c23e4f8431d7f9033452f
SHA1 hash:
7495900b72f95bbb28c133d679176ab9ceec177d
Link:
https://www.unpac.me/results/7ef78f19-a750-4cd8-bff8-479eb70e2bdb/
SH256 hash:
17acd4803bff203f9c4ac1177e2fc4001ccecb699a3eff41bfa80b2b08469599
MD5 hash:
b9d799983fdb6ffbd3917e85128728f2
SHA1 hash:
5707b74f77f79d53d5a196697ac36903846b817d
Link:
https://www.unpac.me/results/7ef78f19-a750-4cd8-bff8-479eb70e2bdb/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f9926b77fd47/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33392/

Comments