MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde
SHA3-384 hash: 375c2babfdbdc87a4793bc73041dfb32afe64f51871cab3608b6892aeb113842141b4a3ad33d9ee05e2db501bdc863a0
SHA1 hash: a1985ea4132ccd8dffe3afa0e9f2794d946c77a1
MD5 hash: 1de00436bf3f7cb15fec7a8a682f2562
humanhash: undress-victor-virginia-island
File name:z16CVLicHSErikaAndrade.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'179'648 bytes
First seen:2025-10-07 13:30:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91d07a5e22681e70764519ae943a5883 (93 x Formbook, 14 x RemcosRAT, 11 x AgentTesla)
ssdeep 24576:ttb20pkaCqT5TBWgNQ7aFBSJecii5UwdPlzltvk6A:eVg5tQ7aFB+J+kPlpi5
Threatray 2'733 similar samples on MalwareBazaar
TLSH T10245C01373DEC361C7B25273BA257701BEBB782506A5F56B2FD8093DE820122525EA73
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter FXOLabs
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
BR BR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde.exe
Verdict:
No threats detected
Analysis date:
2025-10-07 13:32:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e4d2d994-bcce-49a0-ab82-f1dd399f8ffc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30960/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e51625277c2bd8bc5d6aad
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit cmdkey compiled-script evasive fingerprint hacktool keylogger lolbin microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68e516215a3bccf09ebb7ce4/reports/db996c14-c209-4a27-a9a6-acb3c87e55e2/overview
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-07T07:00:00Z UTC
Last seen:
2025-10-09T11:09:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6e9741fe-6afc-466e-a012-10c7a7ea0499
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/1de00436bf3f7cb15fec7a8a682f2562
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-10-07 09:59:30 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
26 of 37 (70.27%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jruy4arty7sf7krmqmnhey6tgdtmmlhaciesaj26gm6xmizxrppa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
autoit
Create hunting rule
Similar samples:
05da500934c4ab1b7bbc5e366f571bfe47d99a24efb4419966029f6fb8732de2
Formbook
07351022141ffd0655322cbcb9bc66d32353fe5c7040d81324a2bceb23514126
Formbook
170c2b10322d1b2bbd5403091730544828633e2bdf59af1134b1ae1898a8d90c
Formbook
5fcfd8333c4687790ed53e4783d8b2ac2d082059f7f1b14e92dd24e41e831740
Formbook
90b33d8252b9470d19ac4aff278e6470c04bafe0a04cf143b61880257ca13157
Formbook
a21182bf32d320deebafbf52f06c370fe3762ec55793e09df10ce9e27bfe799a
Formbook
affbb0db85505a477fad583411e0361f0502ef4d9c46059da31ca85eb0e0b5d6
Formbook
b99465dde28898f671538e21692d17def78b40a44b6765093ce3940668614cc7
Formbook
dedf48566d8ce2a8f63e5e8aac7892ce8f2ff7cb95ad0a1a3222245b9645d2ca
Formbook
error
Formbook
faccf8d466113be926dc374092d8424d02329e469b4984d7f988b1a8cd1d1aa3
Formbook
+ 2'723 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251007-qsekqaszay/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63bf0da5-3612-4934-9907-e02654acf7e0
Unpacked files
SH256 hash:
4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde
MD5 hash:
1de00436bf3f7cb15fec7a8a682f2562
SHA1 hash:
a1985ea4132ccd8dffe3afa0e9f2794d946c77a1
Link:
https://www.unpac.me/results/e2036296-fb91-41c8-81a2-bd39a42a4c24/
SH256 hash:
b3ca467106239f9fa072fbb0242b5eda8d6700c9d34d65e2386d8b0b159f571d
MD5 hash:
61e1f63c1ce87431ad3e5905f9762247
SHA1 hash:
e5c9ad3c2bfecabef6a504e96ce59bdbf821329c
Link:
https://www.unpac.me/results/e2036296-fb91-41c8-81a2-bd39a42a4c24/
SH256 hash:
f4a07169bd0ecc0de293bd0e675fa8c7ca32a7bc657cefe73d28548f4e876567
MD5 hash:
b9c1a8c54e877c9aa88603df01f03042
SHA1 hash:
54dd69f52990d8c6a80b4239931a944d57214568
Link:
https://www.unpac.me/results/e2036296-fb91-41c8-81a2-bd39a42a4c24/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4c698e0233c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 4c698e0233c7e45faa2c831a7263d330e6c62ce0120920275e333d7623378bde

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30960/

Comments