MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
SHA3-384 hash: 168357a26e9169a7bc4d25c628f8dc444f97c6f04079f8828d835f5f38cd3790f4e1cb95b3742033954d5753d6df2554
SHA1 hash: 5b518cc2fc496614edae14a2c42744afbad71a34
MD5 hash: 3f75e8621d981e1520e31c45078c5cf5
humanhash: hot-moon-diet-fix
File name:Ziraat Bankasi Swift Mesaji e_dekont 13102025 TL9576300800060.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:657'920 bytes
First seen:2025-10-14 13:42:52 UTC
Last seen:2025-10-14 13:43:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KXg4f/XLrP2W5JnlBBkc9zi4dTIfrXY27O7xKqX:KQSbrt5tlBB39zXdIw1
Threatray 2'375 similar samples on MalwareBazaar
TLSH T1B4E4024927AAD607D96657F519B1F23413BE3DAEB800D20A5EEA6DEB3932F040C507D3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe FormBook geo TUR ZiraatBank

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b.exe
Verdict:
No threats detected
Analysis date:
2025-10-14 13:54:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fc42b4bc-9b35-464e-87cd-c01649eb78f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32728/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ee538d04e22ce9acda0259
Tags:
stration shell spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68ee54dd275d977204b67cf0/reports/d4e5bd42-9745-45ea-b91e-c46ceffe6d35/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-13T08:58:00Z UTC
Last seen:
2025-10-16T11:23:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Blakken.sb Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan.Win32.SpeedBit.sb Trojan.MSIL.Agent.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-Dropper.Win32.Injector.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b/results?tab=lookup
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72dee7fe-cbc2-4d81-bc2d-6772633b235a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1794932
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1794932 Sample: Ziraat Bankasi Swift Mesaji... Startdate: 14/10/2025 Architecture: WINDOWS Score: 100 37 www.ylvac.xyz 2->37 39 www.x6ssv.top 2->39 41 3 other IPs or domains 2->41 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 65 12 other signatures 2->65 11 Ziraat Bankasi Swift Mesaji e_dekont 13102025 TL9576300800060.exe 4 2->11         started        15 svchost.exe 1 1 2->15         started        signatures3 63 Performs DNS queries to domains with low reputation 37->63 process4 dnsIp5 35 Ziraat Bankasi Swi...76300800060.exe.log, ASCII 11->35 dropped 67 Adds a directory exclusion to Windows Defender 11->67 18 Ziraat Bankasi Swift Mesaji e_dekont 13102025 TL9576300800060.exe 11->18         started        21 powershell.exe 23 11->21         started        45 127.0.0.1 unknown unknown 15->45 file6 signatures7 process8 signatures9 47 Modifies the context of a thread in another process (thread injection) 18->47 49 Maps a DLL or memory area into another process 18->49 51 Sample uses process hollowing technique 18->51 53 Queues an APC in another process (thread injection) 18->53 23 explorer.exe 30 1 18->23 injected 55 Loading BitLocker PowerShell Module 21->55 26 conhost.exe 21->26         started        process10 dnsIp11 43 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->43 28 wscript.exe 23->28         started        process12 signatures13 69 Modifies the context of a thread in another process (thread injection) 28->69 71 Maps a DLL or memory area into another process 28->71 73 Tries to detect virtualization through RDTSC time measurements 28->73 75 Switches to a custom stack to bypass stack traces 28->75 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
Gathering data
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-10-13 12:40:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymkx5bi6rcawidexib2pp5iig3aov5iduijuogppcn2npaskisnq._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
0f67fe74fb4cf4338c01d4fef99efbc2d7fa49d5acd524e0dd7a7700c8c80af4
Formbook
2313ed5be56a795a08a65c3001730df4e9c60365a484904755029bb69f953dd0
Formbook
289dec46e22ecce04d8067211739d685d1d807895a4894da0ede93d8804d0b53
Formbook
7159bc1eed5f336a6b4ced415ea0db837dc13f776c09c2ac48848e020d2d8b4c
Formbook
error
Formbook
f4071d13b9c541b34106ad5f9bce5eb4c320d390b3cb3cc42b12981b1ad0ef33
Formbook
+ 2'365 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gw28 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251014-q4fl6agy9h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/92d59a54-9192-4c3d-bc51-657afde16f81
Unpacked files
SH256 hash:
c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
MD5 hash:
3f75e8621d981e1520e31c45078c5cf5
SHA1 hash:
5b518cc2fc496614edae14a2c42744afbad71a34
Link:
https://www.unpac.me/results/27038e4a-4bf1-4b0f-bc93-7dbf6386408f/
SH256 hash:
b794ed0c0c7d4499d0a2ffff67eb5b92dba83f4be7964591e9edad2755176511
MD5 hash:
2a576318d07470206dd7c45f7d896078
SHA1 hash:
3096b2a5ccd98583949a9f57842d5547b50bbc29
Link:
https://www.unpac.me/results/27038e4a-4bf1-4b0f-bc93-7dbf6386408f/
SH256 hash:
2386b1165217d8423aac08840e804c9e80e980495981ce62a57d38e174ad552f
MD5 hash:
30eef8a66eefecea264f9c1a01728744
SHA1 hash:
3707abd84635f43fc64d8a32fd53a90b43f50cd8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/27038e4a-4bf1-4b0f-bc93-7dbf6386408f/
SH256 hash:
17cf2e3249632d80d852b1f2074abe276836fa6de237e6c44d7eb9b84505e237
MD5 hash:
03fb4ee4e3a854a15e5527b726becca4
SHA1 hash:
15c9f0a3a2f4a1bb231c1ccebccc57fba95752ac
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/27038e4a-4bf1-4b0f-bc93-7dbf6386408f/
Parent samples :
90addeb56d3d3cd4aa9064861d82f68ed5e501e0149e1915e533d14c67e97e76
cb62a2a1afdbd5d034d28d9fbd0dfd6fb40d986b345b89e3fa8d1866d8ad9a38
3d73ce6df0894382b15b762b63c16b983ded101731112bbbb1a78bdf6faf6226
9d854ef77324e13432f5a59bdc1551e6425c8a5c533ee15a7e497e886636d30a
7b7de9a2694634817a70b23b8dff8fa44e5dbc96c046de82b27e1cce54d252c8
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
94f3a5b7cc5784d0be1f7d4c726ea45c5c84a132f7b86a10dee5d63332c5415a
3f57d382a91d317a9534cdc957cd87407f5515c8950320987338dddb4899aeb8
863cb2092d902c6ca8e04b62654e32c1d21d2f6cfd0c71d287805456bd386746
41e4dd0218aed625e7883bd3dbe43a95796360bda2e2b7fcf020af9fe5e1f1dc
e97233f6c7b7497a0fe4d6a916dde92ade0cc0f92d73e424af88b0bd855b23db
35609862a6c28f3fa0e24dfc564dd3515c539cd1f8387de051055abbaef90ff5
ebc963782a30a3e6cc360a6e4fda16d2acac2de13ee0d8db863082e699dabd5a
0b6626a93de029cfa30a8b9e33aaa49f648bf75d36a8cba9fe199cfae9bb86c0
27541e7a2b03816dc453852b1251e72fae6e6081984e94248d3edb7e13c780e6
3f1bebc7b0ea5164074e72a8f77e3bc133d1d415f5db79c20385b8d5a601a1a0
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
099aab7e93cc90414b63769dba429546e4f98953f1c8304f6b8109e6fa0a824e
69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
44a2b2a04288b8a218d80ea21b9b96de167b844fa7481adfbd48cfdf179aa0df
3988ec66f1954d27508b1a07ca7fe384952aa751f066b6d0c626f54a185e3e41
67018046ca353a77dd60a66c54a2b1db4d82e8f3b3cce6cd7db1de6106c0e30a
889349bbd7bfd22af28916a5da340f36772ae2a6707b324ab666374b47bf9bba
dc969684c8b2051843d1db4048e2b13e366e769dd8e97a1dc63e1dce0ffcb954
532c23e17dcfc3459cc6a1d19cfd1be12b7589ce55558db0dd932426e41f14d3
851777ba5b93dbcb9663559525e069ca084e7e5a5c5111d2a6798bb065b82fc9
adc5532725144b1f28aaf526c1f83fe7ab098a54cdeec6e76de74145a3e793de
8ccd299fea6467b706e5b9108fb8e18c2dfab8fad9b324464f4ff74f067be6ad
195fbfce93f4365587f25a24138d01d03d066cbadaa0fa93e57dfbccca6767ec
23992ab41872ac21dcd499a48a743e51afa43d873d8564a95f03f4a639d3bfbc
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c3157e851e88/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32728/

Comments