MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa65d639902f2294bea2857886549b53016dbde86d9fd25894e39c47f7047200. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	fa65d639902f2294bea2857886549b53016dbde86d9fd25894e39c47f7047200
SHA3-384 hash:	d6635e16a7f270960b7b66e2c4e64eb8a5d9f36ef2945a190dc7c2bb79df21d01d783fee59ec0f4bcad1c5a7472d9ceb
SHA1 hash:	d07c5a20c5f928c71fe20edfc61367fa39efaf46
MD5 hash:	cb10ba8686d19b72997194ab780b1614
humanhash:	lima-xray-failed-crazy
File name:	VBS 1-15 JULIO 2025.rar
Download:	download sample
Signature	Formbook Create hunting rule
File size:	682'281 bytes
First seen:	2025-07-21 06:05:05 UTC
Last seen:	Never
File type:	rar
MIME type:	application/x-rar
ssdeep	12288:cLAfPO+SyPJh2v3xt3jT6H0/UFE9mbRx7VxPqY:cLqjPJ6Btn6/Nx77D
TLSH	T116E4235A1F7B096D5BC21E071BD3C02578B29B490B3A0DC9E8A8F65A5DC322EF1F9C44
TrID	61.5% (.RAR) RAR compressed archive (v5.0) (8000/1) 38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika	rar
Reporter	cocaman
Tags:	FormBook rar

cocaman

Malicious email (T1566.001)
From: "Carmen Ramirez <accounting@migenetika.com>" (likely spoofed)
Received: "from zen-saha.147-45-49-96.plesk.page (unknown [147.45.49.96]) "
Date: "20 Jul 2025 19:49:11 -0700"
Subject: "15 days VBS 1-15 JULIO 2025"
Attachment: "VBS 1-15 JULIO 2025.rar"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=687dd8b22f623871a5f10a0e

Tags:

autoit emotet

Verdict:

Suspicious

Labled as:

Ransom.Sabsik

Link:

https://www.hybrid-analysis.com/sample/fa65d639902f2294bea2857886549b53016dbde86d9fd25894e39c47f7047200

Verdict:

Malware

YARA:

1 match(es)

Tags:

AutoIt Decompiled Executable PDB Path PE (Portable Executable) Rar Archive Suspect

Link:

https://app.malva.re/file/cb10ba8686d19b72997194ab780b1614

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fa65d639902f2294bea2857886549b53016dbde86d9fd25894e39c47f7047200/

Threat name:

Win32.Trojan.AutoitInject

Status:

Malicious

First seen:

2025-07-21 04:15:39 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

20 of 35 (57.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7js5momqf4rjjpvcqv4imve3kmaw3ppinwp5eweu4ooep5yeoiaa._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook adware discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250721-g18n4axms6/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/fa65d639902f2294bea2857886549b53016dbde86d9fd25894e39c47f7047200

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)