MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d
SHA3-384 hash: fe27448831265af26cd3898856546584d6b161767512855e3b0e73e3bd8292771faee92a88713371deeca9b092d55a9c
SHA1 hash: e64928277c79eebec35154d541e152d9513600ab
MD5 hash: 5621b94ee22762740d162c91ea1991f4
humanhash: eight-undress-four-island
File name:49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f
Download: download sample
Signature Formbook
Create hunting rule
File size:1'178'624 bytes
First seen:2025-12-08 14:49:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f7552f9514e3a32a8dc8a5a9d9c89a7 (12 x Formbook, 2 x SnakeKeylogger, 1 x a310Logger)
ssdeep 24576:Qtb20pkaCqT5TBWgNjVYFmfJvBJp1xiV6A:ZVg5tjVYF+JvBbu5
Threatray 2'744 similar samples on MalwareBazaar
TLSH T1C345CF2273DE8361C7726273BA56B701AEBF7C2506B5F46B2FD4093DE820162521E673
TrID 50.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
19.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.5% (.EXE) Win32 Executable (generic) (4504/4/1)
3.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe FormBook upx-dec


Avatar
abuse_ch
UPX decompressed file, sourced from SHA256 49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f
File size (compressed) :693'248 bytes
File size (de-compressed) :1'178'624 bytes
Format:win32/pe
Packed file: 49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
AutoIt
Details
AutoIt
extracted scripts and files
Link:
https://research.acce.ciphertechsolutions.com/results/cf8e08f7-9d53-42a0-9714-f8a1ca4d9037/
Malware family:
n/a
ID:
1
File name:
49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f
Verdict:
No threats detected
Analysis date:
2025-12-08 18:20:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f8269eb9-f5cd-431d-9a79-716df18d61f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43195/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6936e5e8881313558a2b87c2
Tags:
nymeria autoit emotet
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-08T13:16:00Z UTC
Last seen:
2025-12-09T19:12:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ef6dd64-f2e4-4baa-b488-5e109c34c93a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1828869
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1828869 Sample: 49b7629b41572ef6c7f0f8666d4... Startdate: 08/12/2025 Architecture: WINDOWS Score: 100 26 www.zkoraclecloud.xyz 2->26 28 www.wpolityce.pl 2->28 30 11 other IPs or domains 2->30 46 Suricata IDS alerts for network traffic 2->46 48 Antivirus detection for URL or domain 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 54 4 other signatures 2->54 10 49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f.exe 4 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 26->52 process4 signatures5 56 Binary is likely a compiled AutoIt script file 10->56 58 Writes to foreign memory regions 10->58 60 Maps a DLL or memory area into another process 10->60 62 Switches to a custom stack to bypass stack traces 10->62 13 svchost.exe 10->13         started        process6 signatures7 64 Maps a DLL or memory area into another process 13->64 66 Unusual module load detection (module proxying) 13->66 16 z0dMIk201JnP.exe 13->16 injected process8 process9 18 SecEdit.exe 13 16->18         started        signatures10 38 Tries to steal Mail credentials (via file / registry access) 18->38 40 Tries to harvest and steal browser information (history, passwords, etc) 18->40 42 Modifies the context of a thread in another process (thread injection) 18->42 44 4 other signatures 18->44 21 VjidTRCkOXK3bd.exe 18->21 injected 24 firefox.exe 18->24         started        process11 dnsIp12 32 www.wpolityce.pl 172.66.155.70, 49735, 49736, 49737 CLOUDFLARENETUS United States 21->32 34 www.iibhbet.com 172.67.138.218, 49739, 49740, 49741 CLOUDFLARENETUS United States 21->34 36 7 other IPs or domains 21->36
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Link:
https://app.malva.re/file/5621b94ee22762740d162c91ea1991f4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 14:50:34 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
29 of 38 (76.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zq6kl63emzwpwgdazgltgoymyq7rb7ghdjfeqqhepak72zm3sb6q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
autoit
Create hunting rule
Similar samples:
170c2b10322d1b2bbd5403091730544828633e2bdf59af1134b1ae1898a8d90c
Formbook
4139421ed55c3e312d485d67869250d329a4f2e50407e0fcddd74ee419abf216
Formbook
41eaa4d9ca00fdef1f8ac2b02ffbb0498b8ed8565916247c20b4a41beaa102a8
Formbook
59c9153a4675a740e9e17934e288c5be876f37334c1ce79427c40e7e13e5cb6a
Formbook
5a13dd5d13e094fa6d10b545dd72855d21143c478ebb5bb589f7334767cd4d34
Formbook
867dc4d48c2fbef423c67cf481e33703e7e6a9494a400078298494777b23b18d
Formbook
90b33d8252b9470d19ac4aff278e6470c04bafe0a04cf143b61880257ca13157
Formbook
a21182bf32d320deebafbf52f06c370fe3762ec55793e09df10ce9e27bfe799a
Formbook
a684465a73338c71ef0b4094a7ea9cef4c7b75a9577286cbb9614bd6702a6917
Formbook
e890b563d8866db21a60bd0eed524503a8769125f31949836da4c67ab1a704d9
Formbook
error
Formbook
+ 2'734 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/251208-r7xkhswrfw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b0fa2585-f269-4f2e-947c-4b87afd82976
Unpacked files
SH256 hash:
80858ac79c0b8d117c58bf3bae85004fded91c812dd684274a9a7349730d9630
MD5 hash:
2efeda40bedf4271be629571de4798de
SHA1 hash:
67fe925769506d614f3c8d201f10cf44bc4b547e
Link:
https://www.unpac.me/results/b05ea5ba-c743-46ab-9aef-a9ee93c76e01/
SH256 hash:
792b15d3a2e4bda9eb56d5d304340ab833da5eb7fabc6a1e05bec6220a5147ec
MD5 hash:
f6d35bda4f0ed16d0f68cbdd6c112242
SHA1 hash:
e2db2d7f6a21882e0e6a25a55b52811fe16998f3
Link:
https://www.unpac.me/results/b05ea5ba-c743-46ab-9aef-a9ee93c76e01/
SH256 hash:
cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d
MD5 hash:
5621b94ee22762740d162c91ea1991f4
SHA1 hash:
e64928277c79eebec35154d541e152d9513600ab
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/b05ea5ba-c743-46ab-9aef-a9ee93c76e01/
Parent samples :
49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f
cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cc3ca5fb6466/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:TH_Generic_MassHunt_Win_Malware_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Generic Windows malware mass-hunt rule - 2025
Reference:https://cyfare.net/
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Formbook

Executable exe 49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f

Formbook

Executable exe cc3ca5fb64666cfb1860c997333b0cc43f10fcc71a4a4840e47815fd659b907d

(this sample)

  
Dropped by
SHA256 49b7629b41572ef6c7f0f8666d45ded1e2d18609782c3592443786073559fd4f
Cape
Cape
https://www.capesandbox.com/analysis/43195/
  
Dropped by
MD5 432620e8602c173d9726cbcfd502759a

Comments