MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
SHA3-384 hash: e64ad077d8094f0753bf889e2b63f77d99dc31f74ab83d09ce8f7da3f7f6a6eabde0950d62f6b84d0cc643d312e891ad
SHA1 hash: e8364cc018b8719cb0a4bc2ecb1b95c29ae7e896
MD5 hash: 8fc183fdaa3d052733a30720896852a6
humanhash: nevada-skylark-speaker-social
File name:fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
Download: download sample
Signature Formbook
Create hunting rule
File size:1'238'016 bytes
First seen:2025-10-09 15:01:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1895460fffad9475fda0c84755ecfee1 (309 x Formbook, 53 x AgentTesla, 36 x SnakeKeylogger)
ssdeep 24576:k5EmXFtKaL4/oFe5T9yyXYfP1ijXda35qoYKRMqY6UQGoKm2f:kPVt/LZeJbInQRa35ObqYjQ
Threatray 1'874 similar samples on MalwareBazaar
TLSH T1C945BF0273C1D062FFAB91734F5AF6215ABC79260123AA1F13981DB9BD701B1563E7A3
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
Verdict:
No threats detected
Analysis date:
2025-10-09 23:11:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/40f7dc5f-2f74-429e-8bc5-dddf6685ff6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31800/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e7d1218b7b147cc4b6307c
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context autoit cmd compiled-script fingerprint fingerprint keylogger lolbin microsoft_visual_cc netsh obfuscated packed packed packer_detected threat
Link:
https://www.filescan.io/uploads/68e7ecb7d4a0085473c5c184/reports/51b9ae09-64e4-4bc7-81b2-bc99688dd04f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-26T10:54:00Z UTC
Last seen:
2025-10-08T05:16:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4dac3d65-2ff9-4137-9790-707f87ca7e56
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/8fc183fdaa3d052733a30720896852a6
Gathering data
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 19:55:30 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
28 of 36 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7n3n3y7mrybuqqhdmrc2xrv3tzquzphrnxtcagvgkfygsaavuclq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
01d5ee39bc1c92fd89ac108357bbd155e92fb8ca03876846cfa8ce393b8552f1
Formbook
15923a9fc38c609142edebb4ff10369d18d53b82986c41b7d98c5037c191db06
Formbook
336b45d6525d7f84650bedc820b46047a465bb14c2e6f7829a45be9436b363d6
Formbook
6a552490f5fe075731262f257c9d49392da0534935d28492bcb8a3d8fa41bb0d
Formbook
6fc5301fd7abfbfabe7f3c0a1c83cb0d3430efcbad699eac2d8e7009f27fe82a
Formbook
7fb51ecddea989bbc4c71fb744b95e9045e64c7a534d661d972c048a40050bb7
Formbook
d2388fce0a60d21116ed3d9a6321ae23757b10305a397d8c935a56d5af321a6d
Formbook
d851f10c14fdd10ee13710f52922f04a669f6ab27fcd35e62c78ad0a3d2dfc7c
Formbook
fb16330c871833981f73ada3203538f6549a62be87150af3ba00536029ccc63b
Formbook
+ 1'864 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251009-vk1v7ssjw8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d3ef63c8-c089-42de-b233-fc7919831105
Unpacked files
SH256 hash:
fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
MD5 hash:
8fc183fdaa3d052733a30720896852a6
SHA1 hash:
e8364cc018b8719cb0a4bc2ecb1b95c29ae7e896
Link:
https://www.unpac.me/results/be019e22-8f31-4ed1-a247-a38fb918620f/
SH256 hash:
f9a76ec4ae87cef220c54c5308a65f0b1eccc6303293b2ebd53469ca5f94aa53
MD5 hash:
f8875cbc4ffae9735bc7ec8cdc3291f2
SHA1 hash:
4c7365d7b2bc22f99f025fe61e2dbd1fb7458627
Link:
https://www.unpac.me/results/be019e22-8f31-4ed1-a247-a38fb918620f/
SH256 hash:
ff9f2fa7a9fef63f025479e1719711fa960c1e7b27ffe5e9ec49a4a34ef7d16c
MD5 hash:
bd6c5a02af6f7940d9e9e706f3c5dee9
SHA1 hash:
76852b802e4b8ddfc4d4f17494b5dc6231c33732
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/be019e22-8f31-4ed1-a247-a38fb918620f/
Parent samples :
fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097
c0f096b87b56c2082a729c2446115f69d60ca81fc551be2b7d6d02dd41af1f6f
fb4d2aa18accebccee1bac43a7b0e9b06a1a6aeaf0ac56be41e9904cb29d6c2a
bf8d154fcc6c9e8000eb86b2f45a8eba9588baa407199db8aa36f9da83a99254
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb76dde3ec8e034840e36445abc6bb9e614cbcf16de6201aa65170690015a097

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31800/

Comments