Formbook - Malware Samples
104 samples tracked (rolling 30 days)
Last updated: 2026-04-17
This page lists the most recent Formbook malware samples collected from MalwareBazaar. Each entry includes the SHA256 hash (linked to the MalwareBazaar sample page), original file name, file type, size, and VirusTotal detection rate where available. Samples are updated daily and retained for a rolling 30-day window.
How to Use This Data
Security teams can use these hashes in several ways. Import them into your SIEM or EDR platform to detect known Formbook variants in your environment. Cross-reference file names against your email gateway logs to identify phishing campaigns delivering this family. The file type distribution reveals which delivery formats are currently in use - a shift from .exe to .msi or .js may indicate the operators are adapting to your defenses. Samples with low or missing VirusTotal detection rates are the most dangerous - these are fresh variants that may bypass signature-based protection.
About the Data
All samples are sourced from MalwareBazaar, a free malware sample sharing platform operated by abuse.ch. Detection rates come from VirusTotal. This data is provided for defensive purposes only. For the latest Formbook indicators of compromise including C2 servers and domains, see the IOC page.
| SHA256 | File Name | Type | Size | Detection | First Seen | Country |
|---|---|---|---|---|---|---|
| 2e3ae28c9dafea29... | INSOLUTI FATTURE SCADUTE.js | js | 34.2 KB | 24/61 | 2026-04-17 | - |
| aa42661229c9cff9... | Offer Quote #2026-025.js | js | 2.0 MB | 10/45 | 2026-04-17 | - |
| 6ba2db461aeeb228... | MODELO 303.js | js | 34.2 KB | 21/60 | 2026-04-17 | - |
| bc2c735f3db0ec47... | MODELO 303.js | js | 39.3 KB | 13/61 | 2026-04-17 | - |
| bb11d71564799f9f... | startup.js | js | 2.0 MB | 17/57 | 2026-04-17 | - |
| 2bec28d8646a16ac... | 20240108-051513-451604_Merge_453720.pdf.js | js | 2.0 MB | 17/62 | 2026-04-17 | - |
| 5289ce7c72bb012c... | 899096534234568.js | js | 2.0 MB | 23/61 | 2026-04-17 | - |
| a541b7ffad0c788b... | Bozze dei Documenti di Spedizione – Conferma Indirizzo.js | js | 2.0 MB | 17/61 | 2026-04-17 | - |
| bab2072b9bca8b95... | Xloader.exe | exe | 1.2 MB | 40/72 | 2026-04-17 | - |
| ff21a907e02f5ac9... | U prilogu 879-0982-4326-pdf.js | js | 1.9 MB | 11/62 | 2026-04-15 | - |
| 79adda629a75a954... | Wire payment pdf.js | js | 1.9 MB | 10/60 | 2026-04-15 | - |
| e1a3a8937909e56d... | BB MATE FATT.1-206.js | js | 44.3 KB | 22/59 | 2026-04-15 | - |
| 0801218cdfbcd063... | offlinejs.js | js | 1.9 MB | 12/62 | 2026-04-15 | - |
| bc3ac9ee4158d4ab... | RFQ PACKAGE Banco Group S.R.L ITALY_pdf.js | js | 1.9 MB | 13/62 | 2026-04-15 | - |
| f91b0a2e9b51f33f... | Order Request - CSR-204S095.js | js | 1.9 MB | 14/57 | 2026-04-15 | - |
| 41afa43a3aea61c4... | DHL-PAYMENTOVERDUE-1STREMINDER-1300712211.exe | exe | 1.0 MB | 32/72 | 2026-04-15 | - |
| 5e9416a27d346185... | SWIFT909728728728.js | js | 1.9 MB | 20/62 | 2026-04-15 | - |
| 072001c16c0663ba... | goodthingsforbetterforme.hta | hta | 280.1 KB | 16/62 | 2026-04-15 | - |
| 92354fb4e971d88d... | greatattitudeforme.hta | hta | 223.8 KB | 10/62 | 2026-04-15 | - |
| 2119f966c3d9382f... | SecuriteInfo.com.BackDoor.AgentTeslaNET.18.25868.17095 | exe | 800.5 KB | 53/71 | 2026-04-15 | - |
| 78ddb86c7e16686c... | SecuriteInfo.com.Variant.Application.Fragtor.34236.95677465 | exe | 278.5 KB | 55/72 | 2026-04-15 | - |
| 20b24b43f6ff60c5... | SecuriteInfo.com.Trojan.PackedNET.3184.12004.27998 | exe | 844.5 KB | 53/69 | 2026-04-15 | - |
| 67ff11dca6102d11... | SecuriteInfo.com.Trojan.PackedNET.3184.29967.7472 | exe | 861.0 KB | 51/69 | 2026-04-15 | - |
| 949eb105fbe7d0c4... | 949eb105fbe7d0c40f7f706002966081809592f518ee091494311292421d3f68 | exe | 276.5 KB | 40/70 | 2026-04-15 | - |
| 97a6697bdf6b79e8... | Quotation request #2026-017.js | js | 1.9 MB | not found | 2026-04-15 | - |
| 900056b089817031... | OC-28147.js | js | 2.0 MB | 19/62 | 2026-04-15 | - |
| e01ecfb4715d951f... | payment 14.04.2026.js | js | 2.0 MB | 19/62 | 2026-04-15 | - |
| 9c5df9080e5fb19a... | New instruction.js | js | 15.4 MB | 7/59 | 2026-04-15 | - |
| 33fe1536a423be11... | Order request 204S095.js | js | 1.9 MB | 9/62 | 2026-04-15 | - |
| 362dffc9bf195a6c... | MT103_12602172.js | js | 1.9 MB | 9/61 | 2026-04-15 | - |
| b9d35cbd9ed8b072... | Specifications.vbs | vbs | 4.7 MB | 13/60 | 2026-04-15 | - |
| 8d813d5d24a74b6c... | request and questionier with collaboration.zip | zip | 950.0 KB | 40/68 | 2026-04-15 | - |
| fde78edfa6163f53... | Quote Request.scr | exe | 1.1 MB | 40/69 | 2026-04-14 | - |
| 2ecf3e0440ae3443... | PO 4501058566.js | js | 2.0 MB | - | 2026-04-14 | - |
| 4afe8337c12e3ceb... | BB MATE FATT.1-206.js | js | 36.4 KB | - | 2026-04-14 | - |
| d9331017aa26e6ed... | Nuovo elenco ordini.js | js | 2.0 MB | - | 2026-04-14 | - |
| d4b8fe07ff85c9a4... | SecuriteInfo.com.Win32.MalwareX-gen.20355.26618 | exe | 1.1 MB | - | 2026-04-14 | - |
| 5e0a211f65b87058... | Purchase order PO_NO301629.js | js | 61.5 KB | 25/61 | 2026-04-14 | - |
| 050c3d865ba81f24... | Request for offer #046903.js | js | 2.0 MB | 9/51 | 2026-04-14 | - |
| 4d72a16e70bb0058... | RCN 01923.js | js | 2.0 MB | 9/38 | 2026-04-13 | - |
| 9297af5f66486d11... | RQ-401-26-000033_pdf.js | js | 2.0 MB | 20/60 | 2026-04-13 | - |
| f94ed7fc0a4a1387... | ΤΙΜΟΛΟΓΙΟ ΤΡΑΠΕΖΙΚΟΙ ΛΟΓΑΡΙΑΣΜΟΙ.js | js | 27.2 KB | 15/60 | 2026-04-13 | - |
| 4ffa238d2408ee6c... | swift payment MT103.js | js | 2.0 MB | 15/55 | 2026-04-13 | - |
| b7e00e5c34f30073... | 8948-09987-1243-457-Aviso TT SWIFT.js | js | 2.0 MB | 14/58 | 2026-04-13 | - |
| f972897482bd05ab... | PO.js | js | 398.8 KB | 16/58 | 2026-04-13 | - |
| 96a45b785e542792... | Contract DT4784994.PDF.JS | js | 11.9 MB | 11/61 | 2026-04-13 | - |
| ecd983b0de122bb6... | Contract DT4784994.PDF.zip | zip | 4.9 MB | 22/64 | 2026-04-13 | - |
| 0035d9424bdee5b5... | RFQ-010-PS(WhatsApp-IMGS).exe | exe | 1.4 MB | 50/72 | 2026-04-13 | - |
| 06319316c7d3da08... | SecuriteInfo.com.W64.MSIL_Kryptik.MUC3.ge.Eldorado.17225.5673 | exe | 1002.5 KB | - | 2026-04-13 | - |
| 6e86685cb2897146... | Detailed Specifications CAD Output Packaging Drawing_xlxs.pif | exe | 1.1 MB | 45/71 | 2026-04-12 | - |
| 7cbdc3ffa1f6afc4... | wrfvfjsl.exe | exe | 501.6 KB | 52/70 | 2026-04-11 | - |
| ec5a087e48fc68d2... | SspiCli.dll | exe | 2.3 MB | 28/72 | 2026-04-09 | - |
| cc91735a3d21f09f... | S&P 21556.js | js | 9.3 KB | 23/62 | 2026-04-09 | - |
| 610b6eb873a9a8bf... | Draft_Shipping_Documents_pdf.js | js | 3.7 MB | 15/61 | 2026-04-09 | - |
| e031abc625bdceab... | SWIFT PAYMENTMT103- RMB471329.js | js | 61.3 KB | 23/62 | 2026-04-09 | - |
| 8809ba6b44384ec4... | 024136.js | js | 62.3 KB | 21/61 | 2026-04-09 | - |
| 58d4089e9f0cdca9... | QUOTATION #45468709-96570-01.vbs | vbs | 23.1 KB | 24/61 | 2026-04-09 | - |
| c7f7dd3b0a3b0f39... | PO-05870-MQ-05868-QTN-1000-04-2026-PR08586.js | js | 1.9 MB | 22/61 | 2026-04-09 | - |
| 4af155941c33440f... | MT103 PAYMENT 67839900290.vbs | vbs | 23.1 KB | 25/62 | 2026-04-09 | - |
| b4bca79a4aabe36e... | PO_Documents_specification.catalog2026.JS | js | 3.8 MB | 17/62 | 2026-04-09 | - |
| 68f76d6afc51ec80... | AWB.DHLSHIPPINGDOC.bat | exe | 1.3 MB | 48/71 | 2026-04-09 | - |
| 4887a457b13116ba... | Pedido de Cotação nº 08042026.vbs | vbs | 2.8 MB | 15/49 | 2026-04-08 | - |
| 69fe3d4b77a8c34c... | Pedido de Cotação nº 08042026_pdf.r00 | r00 | 25.5 KB | 23/63 | 2026-04-08 | - |
| 3680ce1ea0b26bed... | APRIL PURCHASE ORDER#.60055911.scr.exe | exe | 1.0 MB | 49/72 | 2026-04-08 | - |
| c35e59265869e383... | rnek_sipari.js | js | 11.7 MB | 16/62 | 2026-04-08 | - |
| 4a33d0f6978c92df... | Purchase Order no. 4100021754.JS | js | 11.8 MB | 19/60 | 2026-04-08 | - |
| 82024b293b8ce6ac... | RFQ 0420.bat | exe | 1.2 MB | 48/70 | 2026-04-08 | - |
| 903ec037859ba0e1... | 5439286090.exe | exe | 1.1 MB | 51/70 | 2026-04-08 | - |
| cb48a1b95924a62d... | HBL_SEH26030005.exe | exe | 1.2 MB | 50/71 | 2026-04-07 | - |
| e17e39d20c194119... | SCB 3668696365-006YTS76.JS | js | 4.4 MB | 22/61 | 2026-04-07 | - |
| af3f5610187dd9fa... | PO-000806758.exe | exe | 1.2 MB | 39/70 | 2026-04-07 | - |
| 18f9f0b849d120f1... | PO No. 4500425000.js | js | 1.9 MB | 23/61 | 2026-04-07 | - |
| 04ed8e5814b643d4... | z1InvoicePayment4632.scr | exe | 1.0 MB | 22/71 | 2026-04-07 | - |
| c881b775bf291491... | Request for Quotation-RFQ NO000020260407.vbs | vbs | 2.7 MB | 15/61 | 2026-04-07 | - |
| d59186e4e3aedd78... | ps_sU8IWW6cqFtT_1775543815932.ps1 | ps1 | 1.4 MB | 4/62 | 2026-04-07 | - |
| f80d48fd9da246ff... | f80d48fd9da246ff8ae107a28547269af8a6043597b381d1d8bbd6de3fdf5dcc.js | js | 2.0 MB | 14/61 | 2026-04-07 | - |
| 6d43947b19ef3788... | Order Acceptance.js | js | 1.9 MB | 16/62 | 2026-04-07 | - |
| c2474da768d306df... | USD BANK DETAILS.js | js | 1.9 MB | 16/62 | 2026-04-07 | - |
| b8fd3878d6797ad9... | Order Acceptance.zip | zip | 1.3 MB | 15/66 | 2026-04-07 | - |
| bcce0774de4a4c31... | USD BANK DETAILS.PDF.zip | zip | 1.3 MB | 14/65 | 2026-04-07 | - |
| 9029bab7100d209f... | SecuriteInfo.com.Win64.MalwareX-gen.19538.15568 | exe | 1.1 MB | 20/72 | 2026-04-07 | - |
| f37e88ccac15a8cb... | revised Our PO# PO00436030.pdf.exe | exe | 1.2 MB | 48/72 | 2026-04-06 | - |
| a8e8d4768f4c1a93... | New PO 1437.exe | exe | 1.2 MB | 34/71 | 2026-04-02 | - |
| 3dc175bf861340b9... | Request for Quotation No.CNT-CON-000-002820 of EPC for Ain Tsila Development Project.exe | exe | 1.2 MB | 27/70 | 2026-04-02 | - |
| 132477f7a2dd9976... | rORDERO_17126.vbs | vbs | 324.4 KB | 1/61 | 2026-04-01 | - |
| 76cc2e6844b7360c... | Purchase Order-PO56677-RVS.scr | exe | 1.2 MB | 36/71 | 2026-04-01 | - |
| 26ca72273622f6e1... | EURO9083783783.JS | js | 11.7 MB | 9/61 | 2026-04-01 | - |
| 427262d7adf1425d... | 01042026_1515_01042026_EURO9083783783.zip | zip | 4.9 MB | 17/64 | 2026-04-01 | - |
| c543d899e5571167... | SAP Ariba ADNOC Contract.js | js | 2.0 MB | 15/61 | 2026-04-01 | - |
| 844591a27c1906e6... | doc003.js | js | 337.4 KB | 17/59 | 2026-04-01 | - |
| d285d4d5975a8e8a... | PO2026033046789644.js | js | 358.4 KB | 19/60 | 2026-04-01 | - |
| e5de1daebc620b7a... | kotacija 31.3.2026..js | js | 28.1 KB | 22/61 | 2026-04-01 | - |
| 6f64605014974a7d... | 11503-電信費電子通知單·pdf.js | js | 28.1 KB | 18/59 | 2026-04-01 | - |
| 0ed5d0929110c2aa... | 9.027 liwg SWIFT.js | js | 28.0 KB | 18/60 | 2026-04-01 | - |
| 5afe509234bf8ce2... | doc0001.js | js | 272.4 KB | 10/61 | 2026-04-01 | - |
| cda6a5e6cfad4f58... | Purchase Order-PO66576.cmd | exe | 1.1 MB | 52/71 | 2026-04-01 | - |
| 06b4ddac05fc7398... | NEW ORDER.com | exe | 969.5 KB | 51/70 | 2026-04-01 | - |
| ff8546c70bd0c5c9... | license.js | js | 66.4 KB | 11/61 | 2026-04-01 | - |
| bc5a3c85389bd562... | BL, NOA & INV BL NO SNKO020260313219.js | js | 1.8 MB | 12/61 | 2026-04-01 | - |
| 8c330b8513d50472... | BL, NOA & INV BL NO SNKO020260313219.arj | arj | 1.2 MB | 12/61 | 2026-04-01 | - |