MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827
SHA3-384 hash: 96a83e903a0a744255384602cc66fffdc16fac416e738bf20d025f410693e5f8c35fdbab7490c1aaaac2beb7a5ebf925
SHA1 hash: 476e7fb6993052ac638de0938a39de714f2d1d61
MD5 hash: a879a1f4bbdfc268ef37b19efca5659e
humanhash: pluto-lamp-mississippi-yellow
File name:Documents-saradeivid00999.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'114'624 bytes
First seen:2025-08-04 08:46:26 UTC
Last seen:2025-08-05 08:47:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:427fNUv+ZLkFrwtCBmWR7IS92lm4wbuPUSXb0Er4zEHx6OTHvT:7fNrLIcUHIK4wbuPUSXCzEHx6OT
Threatray 5'115 similar samples on MalwareBazaar
TLSH T13935F907BB878BB2C2645776CCB7040CD364E981373BDF5A798A237A58D3BBA5940127
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon ac88bae3c8f1d79e (2 x Formbook)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
51
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
Documents-saradeivid00999.exe
Verdict:
Malicious activity
Analysis date:
2025-08-04 09:27:33 UTC
Tags:
netreactor formbook stealer xloader
Link:
https://app.any.run/tasks/b4377fa3-5f26-4e1f-8e52-8eff87e4625d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18722/
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689073a20b4775fb2135f796
Tags:
shell sage hype
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Launching cmd.exe command interpreter
Setting browser functions hooks
Connection attempt to an infection source
Unauthorized injection to a system process
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/689073a332e61090868c6673/reports/740712a5-f154-4e0b-9202-dfdd1910a59f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd5750f9-03ce-4424-ade2-99fd6a1085b2
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749705
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1749705 Sample: Documents-saradeivid00999.exe Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 10 other signatures 2->46 10 Documents-saradeivid00999.exe 15 3 2->10         started        process3 dnsIp4 38 45.141.233.27, 49687, 80 ASDETUKhttpwwwheficedcomGB Bulgaria 10->38 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->48 50 Writes to foreign memory regions 10->50 52 Injects a PE file into a foreign processes 10->52 14 InstallUtil.exe 10->14         started        17 cmd.exe 1 10->17         started        19 cmd.exe 1 10->19         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 62 4 other signatures 14->62 21 explorer.exe 53 1 14->21 injected 60 Uses ipconfig to lookup or modify the Windows network settings 17->60 23 conhost.exe 17->23         started        25 ipconfig.exe 1 17->25         started        27 conhost.exe 19->27         started        29 ipconfig.exe 1 19->29         started        process8 process9 31 control.exe 21->31         started        signatures10 64 Tries to detect virtualization through RDTSC time measurements 31->64 34 cmd.exe 1 31->34         started        process11 process12 36 conhost.exe 34->36         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827
Verdict:
Malware
YARA:
12 match(es)
Tags:
.Net .Net Obfuscator .Net Reactor Executable PE (Portable Executable) SOS: 0.28 Win 32 Exe x86
Link:
https://app.malva.re/file/a879a1f4bbdfc268ef37b19efca5659e
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827/
Threat name:
Win32.Backdoor.FormBook
Create hunting rule
Status:
Suspicious
First seen:
2025-08-04 08:47:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6codaydqoas2r4dhnx5q5rpkk3ol4r4xpi64jpgnx7o6fhoczatq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11aa8ade534f35f3f88dde4fd4ca4182c7f4725f884b12812378f4608cc976bf
Formbook
26f52d29815a25e021c0ac37bb0712833cb21c3b4e97ccd5b35199de3b3f2e92
Formbook
4a16f87ede74f8f5cf4af54e78a69380979b1147a8302cd371d50947c4a0f0fe
Formbook
63e3b4304b855b3219c28b8d5306241564ac5f1752a01b5b793ee7733b4c69a7
Formbook
b362ced287b5f00b3b2ab2c3a7bbc85b57e13271d76a6c65423a831fde92876c
Formbook
c8500adf5318aa42e5cfe9d6efe18d328538a6d8b36765d68820d2b99c3c9626
Formbook
eeabc02c0c8b1e32a032f2573a61e8154570f6d9d9485bf40207328bd14447cf
Formbook
error
Formbook
f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827
Formbook
f9264179af743b510f7158e518141c28d4e0132591f3dfb360a2b1277180dc7e
Formbook
+ 5'105 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:um09 discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250804-kp3kgszmx9/
Behaviour
Enumerates system info in registry
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/726f524a-b6a5-44b2-a14d-72d46eb9ac4d
Unpacked files
SH256 hash:
f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827
MD5 hash:
a879a1f4bbdfc268ef37b19efca5659e
SHA1 hash:
476e7fb6993052ac638de0938a39de714f2d1d61
Link:
https://www.unpac.me/results/e4e36dff-e9f7-4fcb-98bb-71c69cfc1804/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f09c30607070/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

img 122a8d2fd7c1611f2f88064377ca13f6e123f35183b97d60532899bf0797e82d

Formbook

Executable exe f09c3060707025a8f0676dfb0ec5ea56dcbe47977a3dc4bccdbfdde29dc2c827

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18722/
  
Dropped by
SHA256 122a8d2fd7c1611f2f88064377ca13f6e123f35183b97d60532899bf0797e82d
  
Dropped by
MD5 a02b6900cc89aef92db48a21099994ab

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments