MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
SHA3-384 hash: 8132731014b62b3114db2686d0f1b3721a2a0897f43399955e35bcf99d92f22a39dbed27ebb5739ab5db631c2cd2dd44
SHA1 hash: 6355cd5a5f562670d669dc930f2d2f193e78f76f
MD5 hash: 0b9c022bb4bf1dd3c425624472cd5ce8
humanhash: bravo-helium-jersey-pip
File name:PO345657.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'164'288 bytes
First seen:2026-03-02 16:39:43 UTC
Last seen:2026-03-02 17:21:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:QaNoKPv1GK1IwYSwIQR0xxx407vzpfmqZGOJ5mpOdKgI5aO:QaNoK31IwY+xxZnDYRU
Threatray 53 similar samples on MalwareBazaar
TLSH T19445F11066A6DC16C37D873218A5F17C87748EC6B111D25A7EDE7EEB7B2AB0109C2783
TrID 44.6% (.EXE) Win64 Executable (generic) (6522/11/2)
14.0% (.ICL) Windows Icons Library (generic) (2059/9)
13.8% (.EXE) OS/2 Executable (generic) (2029/13)
13.7% (.EXE) Generic Win/DOS Executable (2002/3)
13.6% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter BlinkzSec
Tags:exe FormBook katz-adv-br

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
ES ES
Vendor Threat Intelligence
Malware configuration found for:
NETReactor
Details
Link:
https://research.acce.ciphertechsolutions.com/results/3e09673c-3d4b-4bf4-a200-4f329fda6085/
Malware family:
n/a
ID:
1
File name:
PO345657.exe
Verdict:
Malicious activity
Analysis date:
2026-03-02 16:44:04 UTC
Tags:
auto-sch-xml
Link:
https://app.any.run/tasks/7c8d4d72-7b12-46d9-b9c7-810d7aefb9fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/55284/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3463.28963.31363.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a5bd82002d37d5c982d3e9
Tags:
stration shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Dacic.10860.Generic
Link:
https://www.hybrid-analysis.com/sample/3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
Result
Gathering data
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/79e23e43-fec4-4a1d-9e62-4f7e2ceeed01
Score:
87%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf/
Verdict:
Malicious
Threat:
Trojan.MSIL.Injuke
Link:
https://tip.neiki.dev/file/3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2026-03-02 16:31:38 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
41
AV detection:
12 of 36 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hq4yntbdksxizmxoue5zxbj3x4abxnmmqh2dictobj5herskoc7q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
049d02bca5fcfb5cc8f429493bd150a2363cfafc940a51fb60af9c298946cafa
Formbook
0c82b648de097a84476eae0187e6ae187b4ec872a57cb2dd80aa2c5fdac05df3
Formbook
3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
Formbook
66d0c643f5aa03a5b4303caf17c128e0dc030530f22da3af6ed927cbc9e4f1d6
Formbook
6ada3dbbc2aa231410d0771ed257416992f1f20efec7609940a080464f6e6ade
Formbook
6b15d702539c47fd54a63bda4d309e06d3c0b92d150f61c0b8b65eae787680be
Formbook
85cffbf528025f8a8af7935e9e1ef285a9da23cb8f454b78143ab2960d339a15
Formbook
99e787914a65e928c023070c9a029cf58d4e405e4952bbb1142b1c8e53edfcc6
Formbook
d93a5d602961d1d23e77b613866be9056abe8f5c833776a20a2635fbbad772d8
Formbook
error
Formbook
+ 43 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260302-t6qrpahw5a/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf
MD5 hash:
0b9c022bb4bf1dd3c425624472cd5ce8
SHA1 hash:
6355cd5a5f562670d669dc930f2d2f193e78f76f
Link:
https://www.unpac.me/results/40749f8e-ee8c-4407-a6d7-c719fe5231c4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3c3986cc2354/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe 3c3986cc2354ae8cb2eea13b9b853bbf001bb58c81f4340a6e0a7a72464a70bf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/55284/
  
URLhaus
https://urlhaus.abuse.ch/url/3788620/

Comments