MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
SHA3-384 hash: 8ea96264b225448c4a19094adb87add2e1c6468b091b1c75e6e60f926aab57e025af805fe2c83b4838937f02456d6e80
SHA1 hash: 951e40e57f6e08637114883a3eafcf301104aad5
MD5 hash: 708db27a089593014082d18e745d8e4d
humanhash: don-artist-paris-ten
File name:Baltic questionnaire.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'101'312 bytes
First seen:2026-01-14 05:55:57 UTC
Last seen:2026-01-14 11:28:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:h8FdGwQs+hYJQHu6z7lMNn4//u8U+vgSill1CJYKJ9zd0G:iGwQs+dHFlMN4//rrgSillSYKJ70
Threatray 2'523 similar samples on MalwareBazaar
TLSH T1BF35126EFE79AE52C66D0F73D413104842FAC2579637F29904DE19E10CAB794C88ED2B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
DeepSea
Details
DeepSea
DeepSea decrypted strings
Link:
https://research.acce.ciphertechsolutions.com/results/e2abe2c4-d7ce-45f3-bd20-27aab13bc232/
Malware family:
n/a
ID:
1
File name:
Baltic questionnaire.exe
Verdict:
No threats detected
Analysis date:
2026-01-14 05:57:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cead619a-511f-4b3f-b780-e2f9b82fe68d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48839/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6967300aef906a21abcd1ca8
Tags:
malware
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt obfuscated obfuscated packed vbnet
Link:
https://www.filescan.io/uploads/696730053827c9e1249cc106/reports/b3520fa4-99c7-4a30-aec1-718e2e3cda99/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-14T02:25:00Z UTC
Last seen:
2026-01-16T04:22:00Z UTC
Hits:
~1000
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-Spy.Win32.Noon.sb VHO:Trojan-PSW.MSIL.Agent.gen Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Backdoor.Agent.HTTP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb/results?tab=lookup
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3f1a4fb3-0d0f-4265-9706-c247bb05bee8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1850397
Signature
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1850397 Sample: Baltic questionnaire.exe Startdate: 14/01/2026 Architecture: WINDOWS Score: 100 38 www.yaliro.xyz 2->38 40 www.viptaka.cloud 2->40 42 8 other IPs or domains 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected FormBook 2->54 58 4 other signatures 2->58 11 Baltic questionnaire.exe 3 2->11         started        signatures3 56 Performs DNS queries to domains with low reputation 38->56 process4 file5 36 C:\Users\...\Baltic questionnaire.exe.log, ASCII 11->36 dropped 68 Injects a PE file into a foreign processes 11->68 15 Baltic questionnaire.exe 11->15         started        18 Baltic questionnaire.exe 11->18         started        20 Baltic questionnaire.exe 11->20         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 15->70 22 9B6VFNFaj39V.exe 15->22 injected process9 process10 24 unlodctr.exe 13 22->24         started        signatures11 60 Tries to steal Mail credentials (via file / registry access) 24->60 62 Tries to harvest and steal browser information (history, passwords, etc) 24->62 64 Modifies the context of a thread in another process (thread injection) 24->64 66 4 other signatures 24->66 27 0Jhfo6FCuUnx2E.exe 24->27 injected 30 chrome.exe 24->30         started        32 firefox.exe 24->32         started        process12 dnsIp13 44 www.yaliro.xyz 104.207.66.126, 49746, 49747, 49748 WINNE-IPV4-1US United States 27->44 46 www.spdoman.site 162.210.101.174, 49742, 49743, 49744 STEADFASTUS United States 27->46 48 5 other IPs or domains 27->48 34 WerFault.exe 4 30->34         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.45 Win 32 Exe x86
Link:
https://app.malva.re/file/708db27a089593014082d18e745d8e4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2026-01-14 05:25:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3sdiea76mp6i45mgl7h6iocj7qne7vviivaw33uus6buwfmgnhvq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18bcbb69ee3d1e2fd3e6555bd39d384d8030cd333a4aaa924d761a01ff83fdbd
Formbook
278904b1e6a6d848e3b14319363d95f01e498acf139bc9f8d5c346ed3d0ec9fb
Formbook
3a279099e6b83675a0f1b4ad779734a1c718d6b19a9ab225c54be70c78108ab5
Formbook
5756e25b85cd80cc50822ff08493723729b4f99d37d2a0e26a4a0fa244c7db15
Formbook
5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
Formbook
85ad935b3f04ac7a537e4cf51894c03ed4764343f3b0d8c56657d9137d8e451e
Formbook
8c07a168b11c30dffb306605a02039ca58803c7fb511127f673d29f84d57bd37
Formbook
a7084e26390ab1dbd0318403c7f73dc63d3ca65ba7fb289349e88de4e46dc98f
Formbook
dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
Formbook
error
Formbook
f1480ae593b10cb4e34ca69aad57cbc14ca94b3aed963c870affd9dba7bb2356
Formbook
+ 2'513 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260114-gm76eafy5f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/42359884-6562-43bb-b67b-3164d038f5ce
Unpacked files
SH256 hash:
dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
MD5 hash:
708db27a089593014082d18e745d8e4d
SHA1 hash:
951e40e57f6e08637114883a3eafcf301104aad5
Link:
https://www.unpac.me/results/d4111f81-677f-4f8f-afa2-e37e78e2b055/
SH256 hash:
6a3d0e2e98b1cf28a0547aca0e88a20e251d94e0df7a5808769a2882e58dda11
MD5 hash:
da428eda04a2259a02bcf3120c34715c
SHA1 hash:
34c754c85eebd4c749bab5b24f1a8d3a5f5ebd8a
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/d4111f81-677f-4f8f-afa2-e37e78e2b055/
Parent samples :
392f6b46f45bad21bf7e18de9d62f46651516f7e1b89e2581a1e4e7f71df141b
f3302bb5ac2840ebf927880eb4ba71b2669d7f3f9a261ade6505b2081edef0c7
cc07b7fc44aba3906470be4b5a285b6e17b4c67f706e4afa6fc694392481c9ae
5ac6244e4e561e0db75d436f895369ac7b8927b3726ad7f89e795c8aea4ba017
dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb
172c3076e5d6bfe9089a1e092d1286e77337bc3680db32539e3a7bf69b7d0560
a9748173bb602313b8b1fc6eb71d4036ad98ba25c19b360326dd74cfd71c6522
4eef5964d4be888f65a3410d0f60fd3559021aff06bf1448c919e294b7ecb72e
77be2ee5c55a9c5f20b6522fb6fbd174465481ad60b5143c95ee31e16fccaf8e
27ec2b5eec31bcba30eb7c61b6d0cd60bb36716a397bdcb40f2061866519cb02
e81a2db8cb80396874720064cdfbf62901b1e6b96e8395d6a9846bf930f7efa0
eef6a2be2d108d13d18f38a61013bab9be3290a8a8f1a2ef1b632731367372d0
a8997f7b77f90d348f1a55cde634f4e89a6cbef5f5914391663f31e69a244275
SH256 hash:
2094497b3f255e8a87c2b757c2d70211bf9d57409352ccb7bfd396d41d332a93
MD5 hash:
cf4b62421ea5b6cc3c2e98c43cab27b3
SHA1 hash:
a35e74869129abb17e42a8670d71d6f75e6258dc
Link:
https://www.unpac.me/results/d4111f81-677f-4f8f-afa2-e37e78e2b055/
SH256 hash:
f9f407b1d6e8428f410bd3a2f2ee3f2a6cc35bfa405005381c04ab5b69f5597a
MD5 hash:
992715d3727d92840b8e4fb2b012cb7d
SHA1 hash:
b2fcb97df37d982863acda27adb43e3e7e2a8d06
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/d4111f81-677f-4f8f-afa2-e37e78e2b055/
SH256 hash:
83f731ca2b2297eea1592ba73700a69a704cbd69dac3d065c855669027a8adf0
MD5 hash:
85bbbbf468e67b56ff0df8a1b10e2408
SHA1 hash:
1554cc9831feb600d3a84ef4312941ad8d683dfa
Link:
https://www.unpac.me/results/d4111f81-677f-4f8f-afa2-e37e78e2b055/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dc868203fe63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe dc868203fe63fc8e75865fcfe43849fc1a4fd6a845416dee9497834b158669eb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48839/

Comments