MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f
SHA3-384 hash:	2724c2f6e5a3bd6c9f9242bc207675ebdd749527360766398585aec1681020b3f648aa6584de6260e428011f2c52b9a3
SHA1 hash:	f5731a362fe8f9feef2b0a68693284057ecc5add
MD5 hash:	7f4e83d693e913be99bd91c99cc350fe
humanhash:	hawaii-west-robert-asparagus
File name:	c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f
Download:	download sample
Signature	Formbook Create hunting rule
File size:	937'480 bytes
First seen:	2025-10-09 15:06:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:qXpEVpOUvmBN7SjdXaAabQPZyAxb0kmUGjAM/Rf+1X3ECcFpI2Zu8vUmGOGAkR:UkpOamnMhZyAxbAAi5VE
Threatray	1'995 similar samples on MalwareBazaar
TLSH	T10C15C09D33A5B88FC057CA7189A0DE349A21AC6A9717C30351E75D9FBD0DA87DE102F2
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10522/11/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

Paymentinvoices.xls.tar

Verdict:

Malicious activity

Analysis date:

2025-09-26 08:58:18 UTC

Tags:

arch-exec formbook stealer xloader

Link:

https://app.any.run/tasks/14ba5f52-336c-4251-b8f1-9369c4ec1a7f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/31838/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68e7d28123804d0975b63322

Tags:

virus spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Creating a process with a hidden window

Launching a process

Creating a file

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature obfuscated obfuscated obfuscated packed packed packer_detected signed threat vbnet

Link:

https://www.filescan.io/uploads/68e7f01e5a3bccf09ebf977d/reports/fe1c7afd-b5c2-4289-ab9e-97f404209419/overview

Verdict:

Malicious

Labled as:

Trojan.Kryptik

Link:

https://www.hybrid-analysis.com/sample/c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-25T22:49:00Z UTC

Last seen:

2025-10-09T03:20:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e2603fe6-5dab-4632-bc64-0441d628f06a

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f

Verdict:

inconclusive

YARA:

12 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.80 Win 32 Exe x86

Link:

https://app.malva.re/file/7f4e83d693e913be99bd91c99cc350fe

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f/

Threat name:

Win32.Trojan.PureLogStealer

Status:

Malicious

First seen:

2025-09-26 03:24:46 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=yi3g3tujkput6iiotdpxt5skl7h242ccykjtdejm2cdew57vu4pq._file

Verdict:

malicious

Label(s):

unc_loader_078

unc_loader_037

formbook

Formbook

4f9df0124b362959024305dead04b4637ff379d2cc1b94962fddc9acd039bad4

Formbook

ab560f8779a244097805aae7b6c95eecd6de7909c9ca0bffa7f6a7fda28eb6b2

Formbook

ada71baf53aaee00fdd7839175e9f688dea0365cd09a500c68187d3565c2c1b0

Formbook

b3c42ac0d9356260564780ae62be7b241024aa8da3df358f48a1097e6926d86b

Formbook

b9efbbd81183b0e4b818455b4409b3b7c5852069130614ff175abc9d9277edc9

Formbook

e087ef304badb09dbb8b38a88337c5e2d4a0d3fc174d75817e622fdd8f5a6722

Formbook

+ 1'985 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/251009-vvclcshk3t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e9fbee5a-b4dc-41e2-a4bf-debc94f45d2c

Unpacked files

SH256 hash:

c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f

MD5 hash:

7f4e83d693e913be99bd91c99cc350fe

SHA1 hash:

f5731a362fe8f9feef2b0a68693284057ecc5add

Link:

https://www.unpac.me/results/9372498c-e302-4bb5-a078-9367cc4dec28/

SH256 hash:

57dacc029e706ae184b9f8c3f8efe78b04919967b622d84261d2bf6cc7b1ff62

MD5 hash:

e0d6c5d15b34e08ed4602a1f2a22dd00

SHA1 hash:

129df54a2a54863c5fa96531d12be6702ed302cc

Link:

https://www.unpac.me/results/9372498c-e302-4bb5-a078-9367cc4dec28/

SH256 hash:

feb2b714df2a2897325496e5a17426096097ac54971c92392682ce88898aabc5

MD5 hash:

211ba8351619ca14439e9d4d40022289

SHA1 hash:

5aabda6e3e3b2d4a7f71a332e6dccd74993d9c03

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/9372498c-e302-4bb5-a078-9367cc4dec28/

SH256 hash:

3a8235adcf5c014204b3c7f9bc74cdc5628617fbca4edfd0a89e61bd368598d3

MD5 hash:

805ed8b902bad1be7788a1f25a33f7c1

SHA1 hash:

d7c02f99910d58990504e561694d74e90fd872c5

Link:

https://www.unpac.me/results/9372498c-e302-4bb5-a078-9367cc4dec28/

SH256 hash:

da008f13520d8e9374a519c3a4fa5f2e6d32760153dc5e20dca5dd9d26fa0e65

MD5 hash:

1b444e90ddd86123891a051ae1a74ffb

SHA1 hash:

3477f4c764a1e9d004786599f0b979416ed9743f

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/9372498c-e302-4bb5-a078-9367cc4dec28/

Parent samples :

ab560f8779a244097805aae7b6c95eecd6de7909c9ca0bffa7f6a7fda28eb6b2
c2366dce8953e93f210e98df79f64a5fcfae6842c29331912cd0864b77f5a71f

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/31838/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample