MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f
SHA3-384 hash: 8b9f490284670f11780fefd6c12bcad3303bd17e0011cde3821df6595043224358fb5950493a207c9943eef1830f7060
SHA1 hash: d6dffa591345e3e1fb4806a676f07a31721942d2
MD5 hash: 8b1559c9e441e9a6944074cbc450f3ec
humanhash: oscar-bluebird-blue-spring
File name:Elite Shipment pdf.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:800'256 bytes
First seen:2025-07-14 12:54:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:l6FAkO9AFtK1fR0OWgzUpIJURj7oYbCr9Qv4QsHmZrCbEixnewakD5Uj3:7kQCtKPhEpIWRj0vrbQa170wamuj
Threatray 28 similar samples on MalwareBazaar
TLSH T1870501637506F922CCA063B95668E3B9123D5E88E423C38745F9BE7B3D427932DD49C2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon f0d4e68a9abcf071 (2 x Formbook, 1 x SnakeKeylogger, 1 x VIPKeylogger)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
40
Origin country :
US US
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
09072025_1013_08072025_EliteShipmentpdf.pdf.z
Verdict:
Malicious activity
Analysis date:
2025-07-09 10:24:19 UTC
Tags:
arch-exec netreactor formbook xloader stealer
Link:
https://app.any.run/tasks/a881272f-a86a-49b4-8820-8795974ab104

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14232/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686e4353c9eb97473767dc30
Tags:
underscore extens micro spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a file
Сreating synchronization primitives
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 bitmap lolbin masquerade msbuild obfuscated packed packed reconnaissance regsvcs rezer0 roboski schtasks stego vbc vbnet zero
Link:
https://www.filescan.io/uploads/6874fe061bf7248a928ad929/reports/7c289346-46fc-408c-9a7b-a33c1bad172c/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba59e7f2-ff32-43cb-b35c-0301e33bfcfb
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.02 Win 32 Exe x86
Link:
https://app.malva.re/file/8b1559c9e441e9a6944074cbc450f3ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f/
Verdict:
Malicious
Threat:
trojan.msil/noon
Link:
https://tip.neiki.dev/file/a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-07-09 04:23:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
22 of 38 (57.89%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unzb7xa5j6ixttwandfmeotsh7psxourvm2uqejgnwin566p7qpq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
1d227c29702a16bc418b92aebbfbcf49c0584c25488c0257b4c8276bbdeb68c5
Formbook
23fe0166456c0cc305c6d7eebb8f9f24385ff9dccd544e8246b093889c35d25f
Formbook
2ba41f387ea8d91674878017056d8653151a1c2bc45b4d4c4d97c83657b01db6
Formbook
40167477540a9876374b2bdf7f211b8a943dc382653b6ecd7c815800ad2a1385
Formbook
818748704f30fafa6b32864efe6904d7c3a972c461bdbff0f18cb20f960304b5
Formbook
e5b03cd986d01784169cf3c91b130eb538c17f44e1136a212f3a6a60080cd894
Formbook
ec22dc6bd9f3c041b38773b2f365d66bf9fdb6a4f205e80744218f005bfef5ee
Formbook
+ 18 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250714-p5cq8askv8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2091e55b-018f-4231-b682-6b63ff3d4697
Unpacked files
SH256 hash:
a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f
MD5 hash:
8b1559c9e441e9a6944074cbc450f3ec
SHA1 hash:
d6dffa591345e3e1fb4806a676f07a31721942d2
Link:
https://www.unpac.me/results/d3fb8bd9-65bb-4ce4-96ca-2ec128f50a03/
SH256 hash:
38b7bd95b2e31924529d4858b0cb7689be3c5835d7dd1da7c976c790b290ed6a
MD5 hash:
fc0122bc4af85e901f8cc57c0095bb8b
SHA1 hash:
49d231a0b84016e54743fdb1dce1c948bdc07b9b
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/d3fb8bd9-65bb-4ce4-96ca-2ec128f50a03/
Parent samples :
4213099d8b57762fbc31774f8db657ac6aedb0498af8bed11d17eb81cfcf7be9
2ba754a0ac25585ea570c7a1676a840dfd34b3958e9b47b3b8f0504e0cf5ef57
a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f
SH256 hash:
5452f7a87d31ce67c2c1125d0b0883f6b43e120989cd2815604590cb9fb3fae0
MD5 hash:
f926d987e1e6feaa550ade40f9969273
SHA1 hash:
5c09281e0ad9e1783933549045e2c7f40daa4560
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d3fb8bd9-65bb-4ce4-96ca-2ec128f50a03/
SH256 hash:
70f61d5be5b17a39f894d4d914e74c7cc9e0c06b1b7ca83823cd705ce810ac8d
MD5 hash:
895343337bdcd007996eb9d3f26f088d
SHA1 hash:
bba01cdba5c804e4b53e46844fec72aa6e8c4283
Link:
https://www.unpac.me/results/d3fb8bd9-65bb-4ce4-96ca-2ec128f50a03/
SH256 hash:
e5e4db909ba70e3204ddac1aaa464675775c01faaaaedcaaaccc34ac27a01929
MD5 hash:
db07452c55f5174cc8446f41897c32dd
SHA1 hash:
dfdddd470725db05d6ba7a5c37beccce2bdb80ce
Link:
https://www.unpac.me/results/d3fb8bd9-65bb-4ce4-96ca-2ec128f50a03/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3721fdc1d4f9179cec068cac23a723fdf2bba91ab354811266d90defbcffc1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14232/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments