MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 5 File information Comments

SHA256 hash:	f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610
SHA3-384 hash:	5e70378ca0c6778d9a9ab69160b77a53702ad4c2d522c4dcdf95c5e4da0a5ed0b6983c500cc82a38a2834613e056c2ab
SHA1 hash:	8b6cd7d77f766c3c29be5bfa834f8f5b8d72c798
MD5 hash:	645f73971ee0553c87b9e178a4a8ffa2
humanhash:	two-oklahoma-sierra-harry
File name:	Statement.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	731'136 bytes
First seen:	2025-11-03 10:27:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (70 x Formbook, 33 x AgentTesla, 20 x RemcosRAT)
ssdeep	12288:gz7hU5I5yuNHIgzSFKxWltRohBfSTso93U9M1m1qtrdRpQCK+QgsEK2J+bc:gf+iN57Gtene3Wkm16Xp+zgdf+bc
Threatray	2'003 similar samples on MalwareBazaar
TLSH	T1DBF4239668C1E960C9807330C439CD64453574B19E6B772E8F2CE63EAC70387AA5779F
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	731'136 bytes
File size (de-compressed) :	1'238'016 bytes
Format:	win32/pe
Unpacked file:	8261528703bade8ae4c6c3b7ff181aaaedf5c12e1c2ab9064cf12326a251cbbd

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Statement.exe

Verdict:

No threats detected

Analysis date:

2025-11-03 10:30:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/638f4e49-b252-4a07-a1b6-88bab78d4205

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/35099/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690883cc706befaf4ecb5549

Tags:

virus spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Launching a process

Сreating synchronization primitives

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-30T03:51:00Z UTC

Last seen:

2025-11-05T07:46:00Z UTC

Hits:

~1000

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Strab.sb Trojan.Win32.Injuke.pfas Trojan.Win32.Inject.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.Win32.Dorifel.sbd VHO:Trojan.Win64.Injects.hel Backdoor.Agent.HTTP.C&C Trojan-Spy.Win32.Noon.sb Trojan.Win64.Injects.hel Trojan.Win32.Agent.sb

Link:

https://opentip.kaspersky.com/f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/65876f3b-9957-4a71-b1f7-ebe60ebc36f4

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/645f73971ee0553c87b9e178a4a8ffa2

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2025-10-30 07:33:46 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6nod2t7bnuj2mcmsznep7schzn54hc4zdpn5s5xgz3mbhf3yiyia._file

Verdict:

malicious

Label(s):

formbook

Formbook

061e7c16799ad41c3ca701ec1f4d06c7ad0c1c44e4c9bf4a57fd6eddb2ffa923

Formbook

5de40cb80d71ff5cabc77ed1ae871532f78c3a74823c92e0a54ed1a8fd062297

Formbook

75dfbb18396808592a7b46045f58a499b13169b13c75efa51f5c715d1d3f03e2

Formbook

7adce544b62e952c35eda61e57a188834b85bade02d1112ac2e8cf910bcb5903

Formbook

a0f03b781a6132d96dd86b61922cb734aa80b135d2e1551d45496117eb7d1b65

Formbook

a422d6ce2f3c8376411decfba73a28fbaaed1eefd5ce12d4d6f62afb3d03915b

Formbook

a684465a73338c71ef0b4094a7ea9cef4c7b75a9577286cbb9614bd6702a6917

Formbook

af6376d7d5de38d0d7acf754db0d4c4f77ba49a48eb1cb4d240b16d3725d58dc

Formbook

b3519529f6d34d7fa3108901fe68b12f4577de4e610433e1ae733666fd8f1126

Formbook

+ 1'993 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan upx

Link:

https://tria.ge/reports/251103-mjhdgawrhy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/a091f6d4-f3b4-42bb-86e9-52f910447cec

Unpacked files

SH256 hash:

8261528703bade8ae4c6c3b7ff181aaaedf5c12e1c2ab9064cf12326a251cbbd

MD5 hash:

e10a671ef7dca4dbe366e9aafd5d429a

SHA1 hash:

ffc9e356f2f9fbb5b5ec8c8ac6d7fada0757bd31

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/e9693ec6-c9b9-4994-b8c9-814d4f378a61/

Parent samples :

f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610
8261528703bade8ae4c6c3b7ff181aaaedf5c12e1c2ab9064cf12326a251cbbd

SH256 hash:

80858ac79c0b8d117c58bf3bae85004fded91c812dd684274a9a7349730d9630

MD5 hash:

2efeda40bedf4271be629571de4798de

SHA1 hash:

67fe925769506d614f3c8d201f10cf44bc4b547e

Link:

https://www.unpac.me/results/e9693ec6-c9b9-4994-b8c9-814d4f378a61/

SH256 hash:

792b15d3a2e4bda9eb56d5d304340ab833da5eb7fabc6a1e05bec6220a5147ec

MD5 hash:

f6d35bda4f0ed16d0f68cbdd6c112242

SHA1 hash:

e2db2d7f6a21882e0e6a25a55b52811fe16998f3

Link:

https://www.unpac.me/results/e9693ec6-c9b9-4994-b8c9-814d4f378a61/

SH256 hash:

f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610

MD5 hash:

645f73971ee0553c87b9e178a4a8ffa2

SHA1 hash:

8b6cd7d77f766c3c29be5bfa834f8f5b8d72c798

Link:

https://www.unpac.me/results/e9693ec6-c9b9-4994-b8c9-814d4f378a61/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.91

Link:

https://yomi.yoroi.company/submissions/f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_largefile Create hunting rule
Author:	k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe f35c3d4fe16d13a60992cb48ffc847cb7bc38b991bdbd976e6ced81397784610

(this sample)

Formbook

exe 8261528703bade8ae4c6c3b7ff181aaaedf5c12e1c2ab9064cf12326a251cbbd

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/35099/

Dropping

SHA256 8261528703bade8ae4c6c3b7ff181aaaedf5c12e1c2ab9064cf12326a251cbbd

Dropping

MD5 e10a671ef7dca4dbe366e9aafd5d429a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample