MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbbb5b74e9d1d24d79f9ca7f8dc44dac9ea7663d666ee829bc5e2d2cbcec3174. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments

SHA256 hash: fbbb5b74e9d1d24d79f9ca7f8dc44dac9ea7663d666ee829bc5e2d2cbcec3174
SHA3-384 hash: 79d44ce29d694a98f004378b277c5d1cf25eb6604e845a2bc040171d6e4da723c30d9c694073b195898750e09458722a
SHA1 hash: 275dc4dc7584d05ccd76d90f992af8c66dab34dc
MD5 hash: f4b19ddac26cc4add956fb01856469d0
humanhash: six-nitrogen-papa-winner
File name:TENDER_33AAACL1880A1Z4___PAN_No.AAACL1880A.bat.exe
Download: download sample
Signature Formbook
File size:1'085'440 bytes
First seen:2026-07-03 18:00:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'081 x AgentTesla, 20'056 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 24576:62VM/c9vJGQXIUEaTR7HEzZrGJxi4Y14:zM/WEQXIUEaToIi
Threatray 156 similar samples on MalwareBazaar
TLSH T1D635F119A1A7C802E57A0F728CF5E1B01331AD96F232D61F1FD11EEB76633516D8272A
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter TomU
Tags:exe FormBook

Intelligence


File Origin
# of uploads :
1
# of downloads :
140
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
NETReactor RoboSki
Details
Malware family:
n/a
ID:
1
File name:
exe
Verdict:
Suspicious activity
Analysis date:
2026-07-03 18:18:46 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Tags:
virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a service
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-25T04:44:00Z UTC
Last seen:
2026-07-04T14:09:00Z UTC
Hits:
~1000
Detections:
Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Backdoor.MSIL.XWorm.gen Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan.Win32.Agent.sb
Gathering data
Threat name:
Win32.Trojan.Leonem
Status:
Malicious
First seen:
2026-06-25 07:43:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Result
Malware family:
formbook
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
fbbb5b74e9d1d24d79f9ca7f8dc44dac9ea7663d666ee829bc5e2d2cbcec3174
MD5 hash:
f4b19ddac26cc4add956fb01856469d0
SHA1 hash:
275dc4dc7584d05ccd76d90f992af8c66dab34dc
SH256 hash:
ccae6eca25841a734aecf934ce34118cbb8bc0d83ae40a5e79c6d09c49872f09
MD5 hash:
d17aff3b2369319cdbacf487ef24b809
SHA1 hash:
c9b4783cd2472b582f6c3e2dd4265369c91d8a1d
SH256 hash:
cb6f45003cc1e1547e8e377bdd8e9a15445119e9b610969d7b857e84722e1d59
MD5 hash:
53c39f839fd2efff0cea32307cecdd1c
SHA1 hash:
e82ba130e7e3a772086955784054c060cc1962d6
SH256 hash:
3edb94ce514b8a4ea5b9dde5b135c31231150a8183717398aa7d7c7b336bcd5a
MD5 hash:
1b2e788c7ad0c4957a455bdaa797918a
SHA1 hash:
f14c661b4cade18f50296177a6c9c6787a5abc5b
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe fbbb5b74e9d1d24d79f9ca7f8dc44dac9ea7663d666ee829bc5e2d2cbcec3174

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments