MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b
SHA3-384 hash: 323a951437490bb58237d0ab3da024dc7ee34ecc78bb099ed11bd9e3070335f5113915d71ea6ff1a57ce1625b96ee589
SHA1 hash: 62a713ebf8559b64e66cc75cf11cbfbba2c2ff0f
MD5 hash: 19255977a441a3b6b7a776095725cb26
humanhash: single-golf-mountain-sierra
File name:PURCHASE INQUIRY_RFQ.18645.scr
Download: download sample
Signature Formbook
Create hunting rule
File size:1'139'200 bytes
First seen:2026-06-08 04:57:31 UTC
Last seen:2026-06-08 05:34:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:uaYNrjwY0q48XAPeRKg23lBgj0ObEX+ZZRxP7HJFThkpIqqseWs0:nYNYYEuAWogQvgvbEX+ZXxPn1EIkeb
Threatray 2'908 similar samples on MalwareBazaar
TLSH T11335EF9C5A05F503C948BE341A61E37A02795E9965C19E169EFA7FAF7833BF30C0418E
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 30a44a4c4c4aa430 (12 x Formbook, 4 x RedLineStealer, 2 x AgentTesla)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/247faf70-1dbb-453a-bf23-fe13dc00f440/
Malware family:
formbook
Create hunting rule
ID:
1
File name:
_c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b.exe
Verdict:
Malicious activity
Analysis date:
2026-06-08 05:00:51 UTC
Tags:
auto-reg formbook xloader
Link:
https://app.any.run/tasks/5ca82a92-9481-467d-bea9-87f49838de4a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69481/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.75527376.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a264bf2ae2f98c00a68b2e5
Tags:
micro shell msil
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed vbnet
Link:
https://www.filescan.io/uploads/6a264bef099ef368af26c4a8/reports/9097efa8-75d1-4328-b939-05e84d52786a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-07T23:40:00Z UTC
Last seen:
2026-06-10T02:39:00Z UTC
Hits:
~1000
Detections:
Backdoor.Agent.HTTP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Dnoper.sb HEUR:Trojan-Spy.MSIL.Noon.gen Trojan.Win32.Agent.sb Trojan-Dropper.Win32.Injector.sb Backdoor.Win32.Androm.sb Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b410d98-9fdc-4973-88d4-fe11247c8b9f
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1924225
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1924225 Sample: PURCHASE INQUIRY_RFQ.18645.... Startdate: 08/06/2026 Architecture: WINDOWS Score: 100 60 www.xq68.cc 2->60 64 Suricata IDS alerts for network traffic 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 15 other signatures 2->70 11 PURCHASE INQUIRY_RFQ.18645.scr.exe 1 7 2->11         started        15 powershell.exe 15 2->15         started        17 powershell.exe 16 2->17         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\YceONOfdcKiqj.exe, PE32 11->52 dropped 54 C:\...\YceONOfdcKiqj.exe:Zone.Identifier, ASCII 11->54 dropped 56 C:\Users\user\AppData\...\s5ykzeiaxxe.ps1, ASCII 11->56 dropped 58 C:\...\PURCHASE INQUIRY_RFQ.18645.scr.exe.log, ASCII 11->58 dropped 90 Creates autostart registry keys with suspicious values (likely registry only malware) 11->90 92 Creates an autostart registry key pointing to binary in C:\Windows 11->92 94 Adds a directory exclusion to Windows Defender 11->94 96 Injects a PE file into a foreign processes 11->96 19 PURCHASE INQUIRY_RFQ.18645.scr.exe 11->19         started        22 powershell.exe 23 11->22         started        24 PURCHASE INQUIRY_RFQ.18645.scr.exe 11->24         started        26 YceONOfdcKiqj.exe 3 15->26         started        28 conhost.exe 15->28         started        30 YceONOfdcKiqj.exe 17->30         started        32 conhost.exe 17->32         started        signatures6 process7 signatures8 72 Maps a DLL or memory area into another process 19->72 34 I00uqe3t3oiEK.exe 19->34 injected 74 Loading BitLocker PowerShell Module 22->74 36 conhost.exe 22->36         started        76 Multi AV Scanner detection for dropped file 26->76 78 Injects a PE file into a foreign processes 26->78 80 Unusual module load detection (module proxying) 26->80 38 YceONOfdcKiqj.exe 26->38         started        40 YceONOfdcKiqj.exe 30->40         started        process9 process10 42 mountvol.exe 13 34->42         started        signatures11 82 Tries to steal Mail credentials (via file / registry access) 42->82 84 Tries to harvest and steal browser information (history, passwords, etc) 42->84 86 Modifies the context of a thread in another process (thread injection) 42->86 88 4 other signatures 42->88 45 YmscZQXt7c.exe 42->45 injected 48 chrome.exe 42->48         started        process12 dnsIp13 62 www.xq68.cc 104.21.48.87, 49699, 80 CLOUDFLARENET-CloudflareIncUS Canada 45->62 50 WerFault.exe 48->50         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2026-06-08 02:41:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4j2i46pvkuaqxtc7vglh5jowdow53k7p55o47t5odf6j6jwgmnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
027b246202821c3564dcb1c7bdab3c76bbf77c5b98bb8d862616eb3352ed3fd1
Formbook
03db270f22ccf186bcdb62454ab32ad0004bc382e03c5d742f2af5dd63fcdf88
Formbook
049d02bca5fcfb5cc8f429493bd150a2363cfafc940a51fb60af9c298946cafa
Formbook
0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
Formbook
1dcd4966ab36442646033bcb7cf4b6e4a6d8aaa1f849d099474b014982c09a54
Formbook
680c3a1fe5c2fe5a84ae9d575f1ef6f4a28dec59090a4018363e58635536e07a
Formbook
9fcba21de2fba1e9eee5e341ae7da8601fd1e30ab3d2b3954586b96586c7cb0b
Formbook
be1f829c0a12b713df49c8a8cf8dd1bca669b975b7ba147a9991d4ecb8d5a8cb
Formbook
error
Formbook
+ 2'898 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260608-fl1t9sg13z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_office_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Unpacked files
SH256 hash:
c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b
MD5 hash:
19255977a441a3b6b7a776095725cb26
SHA1 hash:
62a713ebf8559b64e66cc75cf11cbfbba2c2ff0f
Link:
https://www.unpac.me/results/ea7b8f6f-0764-47b7-9140-13a0b778e0c4/
SH256 hash:
447285d17e69bf4504f54ca56164e53d92435371dba5a063a6cf6b1a44502d1c
MD5 hash:
dcdf438206b84cfc6bea85a4ecaa9187
SHA1 hash:
0e0421e38136fa8edb762b1eed7863c86da47809
Link:
https://www.unpac.me/results/ea7b8f6f-0764-47b7-9140-13a0b778e0c4/
SH256 hash:
480a3c6de1a0991f61f4da5160c3bbfce27a98149ecb18887d5a59bf0da9a881
MD5 hash:
1df7bc4efa7b91d1d5a48158f92117a8
SHA1 hash:
d76071ca6b5662d7ef513a592863606a2039bd86
Link:
https://www.unpac.me/results/ea7b8f6f-0764-47b7-9140-13a0b778e0c4/
SH256 hash:
559c6e77bb3a48bad527b92e13392964639274eec9f164a1a08f6a25da44a22a
MD5 hash:
3df0107e6bd20051f6bdb47a422787f5
SHA1 hash:
4af6bd91bce9946aa0c66fb754109be941d6085c
Link:
https://www.unpac.me/results/ea7b8f6f-0764-47b7-9140-13a0b778e0c4/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c713a473cfaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe c713a473cfaaa8085e62fd4cb3f52eb0dd6eed5f7f7aee7e7d70cbe4f936331b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69481/

Comments