MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998
SHA3-384 hash: f30663419fdf7beef0cfaa8e01d7fb7529d09372e8f3fe029601e28494ec8abf24b14e37a2261afedd06d7b838f97a61
SHA1 hash: 5000204dd3d30a850ba7e9d0a76c49a08fe860d2
MD5 hash: f32b5fe9a2adbf13c7ee6691df762324
humanhash: pasta-georgia-illinois-uncle
File name:bin.dat
Download: download sample
Signature Formbook
Create hunting rule
File size:304'640 bytes
First seen:2026-03-18 14:30:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:HmgKOX/zSMauHffqCLbShIBAqpreqBDlshzWEn1Q/NsdMcbD50M17f4Mek3x:HRX/zSMRfqGShCreqZ6hzWEa/N2MGl/b
Threatray 2'677 similar samples on MalwareBazaar
TLSH T1DB5412784D32F1BDFF5B82BC2E21A39EC66CBC9C5834AB17C25B56885F52B121617438
TrID 44.6% (.EXE) Win64 Executable (generic) (6522/11/2)
14.0% (.ICL) Windows Icons Library (generic) (2059/9)
13.8% (.EXE) OS/2 Executable (generic) (2029/13)
13.7% (.EXE) Generic Win/DOS Executable (2002/3)
13.6% (.EXE) DOS Executable (generic) (2000/1)
Magika pebin
Reporter abuse_ch
Tags:dat exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
145
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57992/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69bab73d88c80c01586ba78a
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
formbook masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/69bab73a2000fc76c3e9aa99/reports/e071fb42-d663-46ff-a5f7-994b5269ee3b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998
Result
Gathering data
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fb963a9a-506c-4fe2-915a-e516d2794696
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1885751
Signature
Antivirus / Scanner detection for submitted sample
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yazatvyyyx32wfrnh3j6uqiaf3ocz3kotmhxjui5bev246w7jgma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
Formbook
0ee1d5d6cd40ca035ae628632e2ccab0733f04d4a0d6c21a705993166c29761f
Formbook
1bc5f2d3c8d9ff144f16a61e4019689ebd77097ca6ac91f86ad1184275d301d6
Formbook
3d4c2a1d3b9ea2d8d8790a5aef5e73add848e6f5a07782ae4e51a978149e5c12
Formbook
4d2d2c6efbb042ae0af1b79c8cc52237998ec70df56afd418abbacc48d9d3395
Formbook
528eeaa729b13527924b13dc4dfd8264c93535ae8401d8d812c8a5f329dce2ce
Formbook
79940efa2306d8d62d7ec4b8a30e708682e3fcd198896d508990df2546d6447c
Formbook
cc9404c26313da4d1c83f107c793edd68da52378d48328d27da16ad72b51b4e3
Formbook
d08410a7c99152b4b46a8f6e686353d0a0a0be18eff6358322b72c28e43bda53
Formbook
error
Formbook
+ 2'667 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/260318-rvwsfsby2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998
MD5 hash:
f32b5fe9a2adbf13c7ee6691df762324
SHA1 hash:
5000204dd3d30a850ba7e9d0a76c49a08fe860d2
Link:
https://www.unpac.me/results/c452a624-fe2c-4dc1-884a-b9cac84a66df/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c03209d718c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Executable exe c03209d718c5f7ab162d3ed3ea41002edc2ced4e9b0f74d11d092bae7adf4998

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3798887/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57992/

Comments