MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
SHA3-384 hash: 981121264d0ab5e93fa11653a622072575f7b3aa133ba351a03e5602638539efded6d89eabed1c06a30f2fd68f14ea25
SHA1 hash: 2a6e70ed2ceb885ebcbc14471a599450da89fc1f
MD5 hash: 140e35e0a1e21756d408459d5024f983
humanhash: twelve-december-texas-failed
File name:Bank_Payment_Confirmation_Advice0023456.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'021'440 bytes
First seen:2026-05-18 14:15:56 UTC
Last seen:2026-06-08 09:43:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:yweB5LBrafKTwgoAnilN2F+zNg5xBNaDyUlPDKtrg:onk4oIilJyxBNuyttr
Threatray 2'757 similar samples on MalwareBazaar
TLSH T1B72522685B66D807CAD4AB340E71F379122D1DDEE842C207AFE87DEFBD66D246D00192
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/210005ee-fd5e-4ead-a928-90c00a4f7f37/
Malware family:
n/a
ID:
1
File name:
MV_INO_HORIZON_SPARE_PARTS_ORDER02983456.exe
Verdict:
Malicious activity
Analysis date:
2026-05-14 08:11:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6db400e9-ebf6-4958-a7e1-0a8293a8bf80

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66301/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a0b1f479492784948341d1f
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Creating a process with a hidden window
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed stealer
Link:
https://www.filescan.io/uploads/6a0b1f43efbd399b39b7aa7e/reports/f375afc7-e967-446b-adde-e5c87fc3e35d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-13T23:35:00Z UTC
Last seen:
2026-05-20T09:58:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-PSW.MSIL.Stealer.gen Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3099041b-3401-4c81-a292-ebafff240de1
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1915077
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1915077 Sample: Bank_Payment_Confirmation_A... Startdate: 18/05/2026 Architecture: WINDOWS Score: 100 73 www.vrechke.ru 2->73 75 www.umpgsongs.music 2->75 77 16 other IPs or domains 2->77 85 Suricata IDS alerts for network traffic 2->85 87 Antivirus detection for URL or domain 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 14 other signatures 2->91 12 powershell.exe 19 2->12         started        14 Bank_Payment_Confirmation_Advice0023456.exe 1 7 2->14         started        18 powershell.exe 2->18         started        signatures3 process4 file5 20 IuOIhVFBEoNfs.exe 3 12->20         started        23 conhost.exe 12->23         started        65 C:\Users\user\AppData\...\IuOIhVFBEoNfs.exe, PE32 14->65 dropped 67 C:\...\IuOIhVFBEoNfs.exe:Zone.Identifier, ASCII 14->67 dropped 69 C:\Users\user\AppData\...\mctyttnxwvs.ps1, ASCII 14->69 dropped 71 Bank_Payment_Confi...vice0023456.exe.log, ASCII 14->71 dropped 111 Creates autostart registry keys with suspicious values (likely registry only malware) 14->111 113 Creates an autostart registry key pointing to binary in C:\Windows 14->113 115 Adds a directory exclusion to Windows Defender 14->115 117 Injects a PE file into a foreign processes 14->117 25 powershell.exe 23 14->25         started        27 Bank_Payment_Confirmation_Advice0023456.exe 14->27         started        29 Bank_Payment_Confirmation_Advice0023456.exe 14->29         started        31 IuOIhVFBEoNfs.exe 18->31         started        33 conhost.exe 18->33         started        signatures6 process7 signatures8 103 Multi AV Scanner detection for dropped file 20->103 105 Unusual module load detection (module proxying) 20->105 35 IuOIhVFBEoNfs.exe 20->35         started        107 Loading BitLocker PowerShell Module 25->107 38 WmiPrvSE.exe 25->38         started        40 conhost.exe 25->40         started        42 WerFault.exe 19 16 27->42         started        44 IuOIhVFBEoNfs.exe 31->44         started        process9 signatures10 93 Maps a DLL or memory area into another process 35->93 46 j4goGksFVK.exe 35->46 injected 49 WWbFw5XaLqyfq.exe 44->49 injected process11 signatures12 109 Maps a DLL or memory area into another process 46->109 51 takeown.exe 46->51         started        54 takeown.exe 49->54         started        process13 signatures14 95 Tries to steal Mail credentials (via file / registry access) 51->95 97 Tries to harvest and steal browser information (history, passwords, etc) 51->97 99 Modifies the context of a thread in another process (thread injection) 51->99 101 4 other signatures 51->101 56 4NwFPUgKWHq.exe 51->56 injected 59 chrome.exe 51->59         started        61 firefox.exe 51->61         started        process15 dnsIp16 79 www.taghmx.com.mx 69.6.201.124, 49728, 49729, 49730 UNIFIEDLAYER-AS-1US United States 56->79 81 www.fitmin.fun 185.104.45.67, 49707, 80 UKRAINE-ASUA Ukraine 56->81 83 11 other IPs or domains 56->83 63 WerFault.exe 59->63         started        process17
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.24 Win 32 Exe x86
Link:
https://app.malva.re/file/140e35e0a1e21756d408459d5024f983
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
Threat name:
Win32.Trojan.BPLogger
Create hunting rule
Status:
Malicious
First seen:
2026-05-14 02:37:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b2mbkcj3jcky4zbk2s7uqbva7o4ezujvbz6wpwogbkvayfc6mmba._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
wannacryptor
Create hunting rule
Similar samples:
0035d9424bdee5b512bd3441db4be0486f82a7beb8890713dada7d83e3b7b845
Formbook
2af9816b540cfa33d8d62d8d84d1881d3d3c4f250d92c9d046df3469458f56a5
Formbook
3c97c9c3fd33f0deafc90dac2192ca8a44a44732368e02fdafbf35da539091aa
Formbook
560eebed936f112b8892437063f73a9a6a7b28c9514cea157e8b3314c3cebb9a
Formbook
5a721e420c6fc129a198af6fd7458202c574cff68e0b60b4372a8af5767bd2d9
Formbook
680c3a1fe5c2fe5a84ae9d575f1ef6f4a28dec59090a4018363e58635536e07a
Formbook
73f67234b1d2315ce7cbcbadb5f6e3a5e7a92e6441d4ae7c321a5266f0ece801
Formbook
94d710b32d1ba165af39fd3463b00aa03f790caa8fc4c3eda10f28d78ac4dd84
Formbook
b28e7ee3053e894417d6f851cfd9fb84e9fb5f0274401e6c9f28481c3745a8af
Formbook
c61fd6a91353834b1b35bdef04242f89295b7f7ecffb2951ec3459b391d8ed97
Formbook
error
Formbook
+ 2'747 additional samples on MalwareBazaar
Gathering data
Unpacked files
SH256 hash:
0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302
MD5 hash:
140e35e0a1e21756d408459d5024f983
SHA1 hash:
2a6e70ed2ceb885ebcbc14471a599450da89fc1f
Link:
https://www.unpac.me/results/9bccae19-0af4-4b01-8f99-1d9146de5496/
SH256 hash:
1b7bc097c92735446793117427eb63e581aa3ea6982a75ec872cd27fbe2e9b5e
MD5 hash:
d3149fbfe65d3da08baca186a70bbcc7
SHA1 hash:
63a1460c9356fbda25d63119693c43d69637796f
Link:
https://www.unpac.me/results/9bccae19-0af4-4b01-8f99-1d9146de5496/
SH256 hash:
363ee51fc02f20cb206039434758c3afa1c71bc7d316c6db4a39b0d310ab92f9
MD5 hash:
afe085b7324d72673eef749ff5f21a49
SHA1 hash:
a86f1039a8877804b1b2c99aed91312846cd40e5
Link:
https://www.unpac.me/results/9bccae19-0af4-4b01-8f99-1d9146de5496/
SH256 hash:
ef4ac45ab35046675e281c4caa375fd9e93cc682e5fa141c044e44e52104dd0d
MD5 hash:
f5647abab411805f7c6ab88ae65ee6e1
SHA1 hash:
bd0307009bdb09024f5e414139d3c665a2573789
Link:
https://www.unpac.me/results/9bccae19-0af4-4b01-8f99-1d9146de5496/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0e9815093b48/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0e9815093b48958e642ad4bf4806a0fbb84cd1350e7d67d9c60aaa0c145e6302

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/66301/

Comments