MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 22


Intelligence 22 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
SHA3-384 hash: c521470a17af6db415e7b4f5adbfc7be3fa07e9ac37c4db4fd2cd6c52b92be89746537ece1ed6929b844a7a66c306498
SHA1 hash: 3fdb7593e494aa89938c10a3c702ef6663dae8b5
MD5 hash: b62c72ae26610f75aa4a908b0e507630
humanhash: ten-violet-yellow-oscar
File name:Malzeme Siparis Talep Formu 01102025_Kaptan Grup.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:636'416 bytes
First seen:2025-10-01 15:13:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:clICcFKaBC0BFVt2HXIAuNgg5ClSx0FO0AA8U10ph8RRLpKaotu:cIKaBBTVtgXTgQLfB11zpK
Threatray 18 similar samples on MalwareBazaar
TLSH T167D41215035EFA17C4611FB80974C37547795EA8BD21E3438FFFACEBB82EA456848292
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe FormBook geo TUR

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Malzeme Siparis Talep Formu 01102025_Kaptan Grup.exe
Verdict:
Malicious activity
Analysis date:
2025-10-01 11:40:05 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/63827507-c34b-4073-99f8-f9777e6d01ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29786/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dd454940b7da0b4eb94b38
Tags:
shell virus micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Searching for synchronization primitives
Launching a process
Сreating synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin obfuscated packed packed packer_detected tracker
Link:
https://www.filescan.io/uploads/68dd46cb674d5fd6aa12983f/reports/8c159779-74c7-4f44-a3a4-7476ee1e97af/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-01T04:19:00Z UTC
Last seen:
2025-10-03T12:42:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c0cd266-6386-4e8d-95ab-87091fd72acc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787447
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1787447 Sample: Malzeme Siparis Talep Formu... Startdate: 01/10/2025 Architecture: WINDOWS Score: 100 35 www.tebarit.net 2->35 37 www.oycasino-occ.top 2->37 39 2 other IPs or domains 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 13 other signatures 2->47 11 Malzeme Siparis Talep Formu 01102025_Kaptan Grup.exe 4 2->11         started        signatures3 process4 file5 33 Malzeme Siparis Ta...Kaptan Grup.exe.log, ASCII 11->33 dropped 53 Adds a directory exclusion to Windows Defender 11->53 15 Malzeme Siparis Talep Formu 01102025_Kaptan Grup.exe 11->15         started        18 powershell.exe 23 11->18         started        20 Malzeme Siparis Talep Formu 01102025_Kaptan Grup.exe 11->20         started        signatures6 process7 signatures8 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Maps a DLL or memory area into another process 15->57 59 Sample uses process hollowing technique 15->59 61 Queues an APC in another process (thread injection) 15->61 22 explorer.exe 32 1 15->22 injected 63 Loading BitLocker PowerShell Module 18->63 24 conhost.exe 18->24         started        process9 process10 26 msdt.exe 22->26         started        signatures11 49 Modifies the context of a thread in another process (thread injection) 26->49 51 Maps a DLL or memory area into another process 26->51 29 cmd.exe 1 26->29         started        process12 process13 31 conhost.exe 29->31         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
Gathering data
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-10-01 07:18:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6bocfippysxhba4xndtnburak7vn24emrwsoh7en443wez7ixssa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
212151a618e9234e1c746f364ae9f98f12a2198c0ac9c4b3058d056541163240
Formbook
3d73ce6df0894382b15b762b63c16b983ded101731112bbbb1a78bdf6faf6226
Formbook
3f57d382a91d317a9534cdc957cd87407f5515c8950320987338dddb4899aeb8
Formbook
4f897b135d89fd4fae9653b4ee0e7ac959c478cc12734ec5fe887d6ac92680cc
Formbook
7b7de9a2694634817a70b23b8dff8fa44e5dbc96c046de82b27e1cce54d252c8
Formbook
94976e161177276c6c1f03697f87bbbda781fedb937342a311728f51a3bce501
Formbook
94f3a5b7cc5784d0be1f7d4c726ea45c5c84a132f7b86a10dee5d63332c5415a
Formbook
b456996591120e1dddad01bcd6651f37ee3a30644d7ef77c3e41c21189615404
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
Formbook
error
Formbook
+ 8 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:gw28 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251001-sqjsrsxxez/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e42e4db6-11f8-42a5-8793-80dc2f354c87
Unpacked files
SH256 hash:
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
MD5 hash:
b62c72ae26610f75aa4a908b0e507630
SHA1 hash:
3fdb7593e494aa89938c10a3c702ef6663dae8b5
Link:
https://www.unpac.me/results/b91d2219-20e7-4dd7-8bac-29c8f24dee1c/
SH256 hash:
08a874ce9f9a4c12dbcfe0643733fc5c1d8d50e87ae2828d123d491ea1ba6f32
MD5 hash:
7acf6e0c7c9e7ebd27d5a6c48ff3bde6
SHA1 hash:
228353e8fea4c9d65d133a45ea847a19dc18c282
Link:
https://www.unpac.me/results/b91d2219-20e7-4dd7-8bac-29c8f24dee1c/
SH256 hash:
43a1d713de269eeb768455dbb90ca104d511ed446422c1be660e5ac7c13b2d1a
MD5 hash:
2d4ba21b596d614d8d4d120cfa6f69bc
SHA1 hash:
a34f964e812ef01abee3f178063d42e44a6214eb
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b91d2219-20e7-4dd7-8bac-29c8f24dee1c/
SH256 hash:
17cf2e3249632d80d852b1f2074abe276836fa6de237e6c44d7eb9b84505e237
MD5 hash:
03fb4ee4e3a854a15e5527b726becca4
SHA1 hash:
15c9f0a3a2f4a1bb231c1ccebccc57fba95752ac
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/b91d2219-20e7-4dd7-8bac-29c8f24dee1c/
Parent samples :
90addeb56d3d3cd4aa9064861d82f68ed5e501e0149e1915e533d14c67e97e76
cb62a2a1afdbd5d034d28d9fbd0dfd6fb40d986b345b89e3fa8d1866d8ad9a38
3d73ce6df0894382b15b762b63c16b983ded101731112bbbb1a78bdf6faf6226
9d854ef77324e13432f5a59bdc1551e6425c8a5c533ee15a7e497e886636d30a
7b7de9a2694634817a70b23b8dff8fa44e5dbc96c046de82b27e1cce54d252c8
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
94f3a5b7cc5784d0be1f7d4c726ea45c5c84a132f7b86a10dee5d63332c5415a
3f57d382a91d317a9534cdc957cd87407f5515c8950320987338dddb4899aeb8
863cb2092d902c6ca8e04b62654e32c1d21d2f6cfd0c71d287805456bd386746
41e4dd0218aed625e7883bd3dbe43a95796360bda2e2b7fcf020af9fe5e1f1dc
e97233f6c7b7497a0fe4d6a916dde92ade0cc0f92d73e424af88b0bd855b23db
35609862a6c28f3fa0e24dfc564dd3515c539cd1f8387de051055abbaef90ff5
ebc963782a30a3e6cc360a6e4fda16d2acac2de13ee0d8db863082e699dabd5a
0b6626a93de029cfa30a8b9e33aaa49f648bf75d36a8cba9fe199cfae9bb86c0
27541e7a2b03816dc453852b1251e72fae6e6081984e94248d3edb7e13c780e6
3f1bebc7b0ea5164074e72a8f77e3bc133d1d415f5db79c20385b8d5a601a1a0
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
099aab7e93cc90414b63769dba429546e4f98953f1c8304f6b8109e6fa0a824e
69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
44a2b2a04288b8a218d80ea21b9b96de167b844fa7481adfbd48cfdf179aa0df
3988ec66f1954d27508b1a07ca7fe384952aa751f066b6d0c626f54a185e3e41
67018046ca353a77dd60a66c54a2b1db4d82e8f3b3cce6cd7db1de6106c0e30a
889349bbd7bfd22af28916a5da340f36772ae2a6707b324ab666374b47bf9bba
dc969684c8b2051843d1db4048e2b13e366e769dd8e97a1dc63e1dce0ffcb954
532c23e17dcfc3459cc6a1d19cfd1be12b7589ce55558db0dd932426e41f14d3
851777ba5b93dbcb9663559525e069ca084e7e5a5c5111d2a6798bb065b82fc9
adc5532725144b1f28aaf526c1f83fe7ab098a54cdeec6e76de74145a3e793de
8ccd299fea6467b706e5b9108fb8e18c2dfab8fad9b324464f4ff74f067be6ad
195fbfce93f4365587f25a24138d01d03d066cbadaa0fa93e57dfbccca6767ec
23992ab41872ac21dcd499a48a743e51afa43d873d8564a95f03f4a639d3bfbc
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f05c22a1efc4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29786/

Comments