MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 27 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5
SHA3-384 hash: 29943fc59f5b1256b6ddb4dc940770c5f3c5409ce8ad53aacc6f432920c93f1cf30074ff3e76a005f6c07e2a0e56b973
SHA1 hash: b2bb1521d75a3bafbca91790df739d8fae288026
MD5 hash: c350bcacbf085d7d857514b2b2864f4e
humanhash: stream-ten-video-green
File name:RFQSATPL25-PO7488545.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:914'432 bytes
First seen:2025-09-09 14:28:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:gPX97gN5LykrwPitz+w5J0T9jA7AzHu1B2s:cX9ECiZx5K5GAzuf2
Threatray 987 similar samples on MalwareBazaar
TLSH T1E515D05032A99D07E0B64AF546B1E2B10BB5AE59B966D2CF8DC23CCF79F2F410642707
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter aachum
Tags:exe FormBook RFQ xloader

Intelligence

File Origin
# of uploads :
1
# of downloads :
394
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
RFQSATPL25-PO7488545.exe
Verdict:
Malicious activity
Analysis date:
2025-09-09 14:32:56 UTC
Tags:
auto-sch-xml formbook xloader stealer
Link:
https://app.any.run/tasks/aaaf836d-84e0-402d-bbeb-141e1568def4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26505/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c039a76e66ba602d796e47
Tags:
krypt spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc zero
Link:
https://www.filescan.io/uploads/68c0399f1b52c70384b83b21/reports/3b2991a6-6b0d-4dc2-8bd2-00a24ed9ed9c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T23:18:00Z UTC
Last seen:
2025-09-08T23:18:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/23c9da9e-2acc-4aea-9af5-6158a6f81832
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1774027
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774027 Sample: RFQSATPL25-PO7488545.exe Startdate: 09/09/2025 Architecture: WINDOWS Score: 100 64 www.ztg50.top 2->64 66 www.bloxtools.website 2->66 74 Suricata IDS alerts for network traffic 2->74 76 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 8 other signatures 2->80 10 RFQSATPL25-PO7488545.exe 7 2->10         started        14 ejXtzSJLJVCQnI.exe 5 2->14         started        signatures3 process4 file5 56 C:\Users\user\AppData\...\ejXtzSJLJVCQnI.exe, PE32 10->56 dropped 58 C:\...\ejXtzSJLJVCQnI.exe:Zone.Identifier, ASCII 10->58 dropped 60 C:\Users\user\AppData\Local\...\tmpE555.tmp, XML 10->60 dropped 62 C:\Users\...\RFQSATPL25-PO7488545.exe.log, ASCII 10->62 dropped 84 Uses schtasks.exe or at.exe to add and modify task schedules 10->84 86 Adds a directory exclusion to Windows Defender 10->86 88 Injects a PE file into a foreign processes 10->88 16 RFQSATPL25-PO7488545.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        29 2 other processes 10->29 90 Multi AV Scanner detection for dropped file 14->90 23 ejXtzSJLJVCQnI.exe 14->23         started        25 schtasks.exe 1 14->25         started        27 ejXtzSJLJVCQnI.exe 14->27         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 16->70 31 FdaawCvay.exe 16->31 injected 72 Loading BitLocker PowerShell Module 19->72 33 conhost.exe 19->33         started        35 WmiPrvSE.exe 19->35         started        37 conhost.exe 21->37         started        39 XgSdxZna1xuK.exe 23->39 injected 42 conhost.exe 25->42         started        44 conhost.exe 29->44         started        process9 signatures10 46 sethc.exe 13 31->46         started        82 Maps a DLL or memory area into another process 39->82 49 sethc.exe 39->49         started        process11 signatures12 92 Tries to steal Mail credentials (via file / registry access) 46->92 94 Tries to harvest and steal browser information (history, passwords, etc) 46->94 96 Maps a DLL or memory area into another process 46->96 98 2 other signatures 46->98 51 tLJFpyv39fs.exe 46->51 injected 54 chrome.exe 46->54         started        process13 dnsIp14 68 www.bloxtools.website 198.23.53.106, 49690, 80 STEADFASTUS United States 51->68
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.19 Win 32 Exe x86
Link:
https://app.malva.re/file/c350bcacbf085d7d857514b2b2864f4e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2025-09-09 02:31:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
41
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ea7i5e3rjhesoqfw7rrjh3sfrksdd72mjsubkophxenn75szy6sq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
046ca2dc433d9474ce7222ad4f6c0aa89a3caaab42e6c3c76f260a6c2ff241c8
Formbook
2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d
Formbook
38c7e35b5c3ffd6988ed96a7edf1bfab263257f08740550324500b7f776e0de1
Formbook
394052f1b64477e13f76845563cb611aaeb78fc8a153f262ec44326c9606d2c0
Formbook
5b50cbb52c090dd0bddb9d9cf1801147fef289051354e618344e27a1375c63f0
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
e087ef304badb09dbb8b38a88337c5e2d4a0d3fc174d75817e622fdd8f5a6722
Formbook
eb74479516ffeab5be2a7b758719121a905bca9574c2bb39f8288c038b2c2c33
Formbook
error
Formbook
f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
Formbook
ffc8f79b6654ee83f5afac0fa12a5eeb666dc73b11d05c7fba51e7acab5928de
Formbook
+ 977 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250909-rtdv9axtcz/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f429ad16-1ad3-4ce2-9acf-357fadfb5ffd
Unpacked files
SH256 hash:
203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5
MD5 hash:
c350bcacbf085d7d857514b2b2864f4e
SHA1 hash:
b2bb1521d75a3bafbca91790df739d8fae288026
Link:
https://www.unpac.me/results/eb169994-edab-4b3c-a61a-615eb68f5d6a/
SH256 hash:
bfd9e784b16c080df91c5019b42a50655c4fefb46bf761f5f19e0b686643c5bb
MD5 hash:
64f04cb0f4a616ad6227723ddec4a13c
SHA1 hash:
12dedd0357cfccb9ef03a62f35b9bf519fe8868a
Link:
https://www.unpac.me/results/eb169994-edab-4b3c-a61a-615eb68f5d6a/
SH256 hash:
3e674b562fe0906e2cd4769ba39466254cfeafb473d8900000dd42d47b5719bb
MD5 hash:
506336e740ccff4d4f5d5bc03bf83c0b
SHA1 hash:
43e9121ca476f98b0e629bca933eb9ebee10fe31
Link:
https://www.unpac.me/results/eb169994-edab-4b3c-a61a-615eb68f5d6a/
SH256 hash:
f5c10e49d27eea7e6abbee91705599dab9165ddf8e609c87055d6d92dfd6777e
MD5 hash:
c11aac49e61d14a37b705060ad679846
SHA1 hash:
f6c1febaf4ec9d3dd16b2b6c9fbddfe471428abe
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/eb169994-edab-4b3c-a61a-615eb68f5d6a/
SH256 hash:
657e42dabf0cbca0300bd30f493ff1ebe87d2c847f6cfeb67d87c7e018e00a88
MD5 hash:
08e190a81b09610e20e70da9e244712a
SHA1 hash:
036680a69f5aaa89ff29f79aac65d80268c09e9c
Link:
https://www.unpac.me/results/eb169994-edab-4b3c-a61a-615eb68f5d6a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/203e8e937149/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 203e8e937149c92740b6fc6293ee458aa431ff4c4ca81539e7b91adff659c7a5

(this sample)

  
Link
https://tria.ge/250909-l6ck3aam5z/behavioral1
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26505/

Comments