MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
SHA3-384 hash: 59727908dd6a6170e48c05a3002e38d940ad07e2168607e11d7d89648420695d4b256daf26b6e203fe157ebecb4f5716
SHA1 hash: fae4ba1974b3ef76d82de9183a63d085ad769d2b
MD5 hash: 41c53577d2f4bfa75af06d6c60e9c9f3
humanhash: illinois-cold-steak-steak
File name:Quotation Request.cmd
Download: download sample
Signature Formbook
Create hunting rule
File size:1'161'728 bytes
First seen:2026-03-19 08:55:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'845 x AgentTesla, 19'775 x Formbook, 12'298 x SnakeKeylogger)
ssdeep 24576:oych15rXDMJMVqoB9MVa0eWMqMRnskG4oR1LE:o/vDMJTobaaJWMNskG9rE
Threatray 2'656 similar samples on MalwareBazaar
TLSH T1C03512543728DA52D8AF977456B1D2342330AE6ED853D717AFD03EEB38B3710462A683
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
RoboSki
a decrypted ReZer0 component and possibly a decryption component
Link:
https://research.acce.ciphertechsolutions.com/results/544e2a09-9241-454e-b635-54296e28c9d9/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Quotation Request.cmd
Verdict:
Malicious activity
Analysis date:
2026-03-19 08:57:42 UTC
Tags:
auto-startup susp-lnk formbook xloader
Link:
https://app.any.run/tasks/181bfd30-af32-4df8-a89f-e449b0319bfe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/58092/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bbba3588c80c01586bef90
Tags:
autorun shell micro sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
krypt masquerade packed vbnet
Link:
https://www.filescan.io/uploads/69bbba302000fc76c3ec5d10/reports/3c3359e5-4ab1-4805-b384-426677726098/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
Verdict:
Malicious
File Type:
exe x32
Detections:
HEUR:Trojan.WinLNK.Powecod.e Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Agent.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Backdoor.Agent.HTTP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7894d2d6-6501-4a40-9311-8879e76d91dc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1886180
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1886180 Sample: Quotation Request.cmd.exe Startdate: 19/03/2026 Architecture: WINDOWS Score: 100 52 www.nudeedinburgh.co.uk 2->52 54 www.jq8tl1.click 2->54 56 15 other IPs or domains 2->56 86 Suricata IDS alerts for network traffic 2->86 88 Antivirus / Scanner detection for submitted sample 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 12 other signatures 2->92 11 Quotation Request.cmd.exe 7 2->11         started        15 powershell.exe 15 2->15         started        signatures3 process4 file5 46 C:\Users\user\AppData\Roaming\CbDkNXFYY.exe, PE32 11->46 dropped 48 C:\Users\...\CbDkNXFYY.exe:Zone.Identifier, ASCII 11->48 dropped 50 C:\Users\...\Quotation Request.cmd.exe.log, ASCII 11->50 dropped 94 Writes to foreign memory regions 11->94 96 Allocates memory in foreign processes 11->96 98 Adds a directory exclusion to Windows Defender 11->98 100 Injects a PE file into a foreign processes 11->100 17 MSBuild.exe 11->17         started        20 powershell.exe 23 11->20         started        22 CbDkNXFYY.exe 5 15->22         started        24 conhost.exe 1 15->24         started        signatures6 process7 signatures8 64 Maps a DLL or memory area into another process 17->64 66 Unusual module load detection (module proxying) 17->66 26 1w5Fbe0MW.exe 17->26 injected 68 Loading BitLocker PowerShell Module 20->68 28 conhost.exe 20->28         started        70 Antivirus detection for dropped file 22->70 72 Writes to foreign memory regions 22->72 74 Allocates memory in foreign processes 22->74 76 Injects a PE file into a foreign processes 22->76 30 MSBuild.exe 22->30         started        32 MSBuild.exe 22->32         started        process9 process10 34 wextract.exe 13 26->34         started        signatures11 78 Tries to steal Mail credentials (via file / registry access) 34->78 80 Tries to harvest and steal browser information (history, passwords, etc) 34->80 82 Modifies the context of a thread in another process (thread injection) 34->82 84 4 other signatures 34->84 37 KzmYprHOa7yL.exe 34->37 injected 40 chrome.exe 34->40         started        42 firefox.exe 34->42         started        process12 dnsIp13 58 www.nudeedinburgh.co.uk 212.227.172.250, 49699, 80 ONEANDONE-ASBrauerstrasse48DE Germany 37->58 60 www.jq8tl1.click 18.201.116.200, 49701, 49702, 49703 AMAZON-02US United States 37->60 62 www.munsuroiaan-ulsan.kr 211.233.50.248, 80 KEBHANACARDNET-AS-KRHANASKcardKR Korea Republic of 37->62 44 WerFault.exe 40->44         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2026-03-19 08:56:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gfx64v6wabfrqocxnoyxqik4tg2wuc6tpias5bsqzuujqba7m6cq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
25230a687002161160427e213dcdd2a17ae50d9b3ba9679916e238b55b61a6d2
Formbook
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
Formbook
5a721e420c6fc129a198af6fd7458202c574cff68e0b60b4372a8af5767bd2d9
Formbook
5c0320d2f4ccb84a48c255a3db4057771046db1fb5ee1923354d8518932b42a7
Formbook
61faeb3857dc422b26292ff17b24a2ed3cb18415f8c0a6f64a707c51a0a9c147
Formbook
680c3a1fe5c2fe5a84ae9d575f1ef6f4a28dec59090a4018363e58635536e07a
Formbook
ac5d5a1c08b75129823ff12311b40cab133ad654b70fb44a77c8c4c6453f3972
Formbook
b32d05c6d0606ae99980ac52e9acbae681e7c35936abca1aa7bbc66bc25bb0e5
Formbook
c9a7422e9bda1f8e36f23648857c16fe5332be73c474503b6502eccf4d5ed059
Formbook
error
Formbook
+ 2'646 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260319-kv6t4acz6l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
MD5 hash:
41c53577d2f4bfa75af06d6c60e9c9f3
SHA1 hash:
fae4ba1974b3ef76d82de9183a63d085ad769d2b
Link:
https://www.unpac.me/results/505a279f-5d3b-46d9-8f6e-c9f3c864802a/
SH256 hash:
0027f08b2c6cdd557d2e782e368f61e3f5563025ca5cb9d08b10d1ecc536955c
MD5 hash:
19277088bf4a37e6faba68b37a71ee34
SHA1 hash:
64869c56081d907792b867e7a6d516e43215cb91
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/505a279f-5d3b-46d9-8f6e-c9f3c864802a/
SH256 hash:
b9abdf181a8746c43cd3665ce5c45ff33ddb8916b400454a26b2cb3e346bc194
MD5 hash:
e29ddeebef1fd4ef69698fa2ee7b1d65
SHA1 hash:
919b0e3bfc023f595dfb4e83688a96970dc5fa2b
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/505a279f-5d3b-46d9-8f6e-c9f3c864802a/
Parent samples :
8b012d3d775bd32f503cb84a6889d786c06623eeb8c840bd8c03073971530f52
88e156291d0a765e5c9b60daa6bd53c6ad75022e63ab286effe120aa6c16c222
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
046ebdd9e30338c5c6880ca8e8c7da3c37a3fd05611e9c21310ec5989f98095a
9612b142e2991ff8c9b66b283b9727cd8d2b5afff8521e8bb8806d36dcab5c43
08a1f9ca335c195d028e5f47b94f7e3b56945332b5f503ef60cdbba99c27998f
f034f4756f307c1c27424059cec7bc7f975493377588e086ea94721b38a68999
6a3368fb5ffab1283df539c6f17cb1244b563f5a3ad94d96adcde2dcadab66ae
7c40815633530147ad907fdc252aad2761fe35088020db35c4325dcc0f4d3329
SH256 hash:
06bdd639384f86791df60c7499ef32b223206990a77b5c3af28495f713448ec9
MD5 hash:
f53b0638dc8b3ad9a90974af6ee4e5a0
SHA1 hash:
faf16e7534123aca85834dfc96183e90aa7aeac2
Link:
https://www.unpac.me/results/505a279f-5d3b-46d9-8f6e-c9f3c864802a/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/316fee57d600/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_DIFF_Common_Strings_01
Create hunting rule
Author:schmidtsz
Description:Identify partial Agent Tesla strings
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/58092/

Comments