MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9
SHA3-384 hash: 37cbd0389d037ce40593412d4a8cd0a1794260c7b0f180168d144dd9f1ff05d34636d3c1d079df64bfff4a245e365a48
SHA1 hash: e6a6c3c6cae05c8a7eafa623f88e481931b1f926
MD5 hash: 2c09eb962e08237efdb07ed10536ed6e
humanhash: two-charlie-stairway-hamper
File name:PURCHASE ORDER.com
Download: download sample
Signature Formbook
Create hunting rule
File size:729'600 bytes
First seen:2026-01-08 08:30:47 UTC
Last seen:2026-01-13 09:53:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'860 x AgentTesla, 19'793 x Formbook, 12'305 x SnakeKeylogger)
ssdeep 12288:SKE44ctN7IBWXWWA5lDsjsx/Lcs0FYj5DfQHESq/vz9CgoF44gVeAqT3iHBrUv1g:lTrIN5lsjI0oDfaivBCgGmeAq+HBi1Tk
TLSH T111F4F114235ACD07C0E24BB67871E3B47B296EDFA892E2969FC93FEFB0356410955342
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/39c79d1b-5a9f-47c5-b99b-a2df780d690d/
Malware family:
n/a
ID:
1
File name:
PURCHASE ORDER.com
Verdict:
No threats detected
Analysis date:
2026-01-08 08:36:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9b258b9-d98c-4404-9575-34bd558843d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48159/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695f6b6ff50945831dfeb7a2
Tags:
malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook krypt masquerade packed unsafe
Link:
https://www.filescan.io/uploads/695f6b5687e75cdd5af87303/reports/c2a8c5ac-13cb-4789-b6ac-8e5eca076654/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-07T05:11:00Z UTC
Last seen:
2026-01-10T03:58:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.HTTP.C&C Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-PSW.MSIL.PureLogs.gen Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb HEUR:Trojan.MSIL.Agent.gen VHO:Backdoor.Win32.Androm.gen HEUR:Trojan.MSIL.Injector.gen
Link:
https://opentip.kaspersky.com/28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d02fc18b-7d44-4ba5-bcb3-d387c49f2c55
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.51 Win 32 Exe x86
Link:
https://app.malva.re/file/2c09eb962e08237efdb07ed10536ed6e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2026-01-07 11:43:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
25 of 38 (65.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fd4vt7euqpbelqs4npxnyp2etej253xtqehehp5skg6hzm5jtd4q._file
Verdict:
malicious
Label(s):
unc_loader_078
Create hunting rule
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260108-key5baes4g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e752b8e3-51eb-4ae8-9e94-851f6c4476c5
Unpacked files
SH256 hash:
28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9
MD5 hash:
2c09eb962e08237efdb07ed10536ed6e
SHA1 hash:
e6a6c3c6cae05c8a7eafa623f88e481931b1f926
Link:
https://www.unpac.me/results/0857112c-b32c-43cb-88f0-921ff0225893/
SH256 hash:
2f5c0268f2f05579df76eb8f00b1521c3527a087d0f9e2b39b8b1e6d5c3a22fb
MD5 hash:
06d02e5c3c28faf7dd2675205c1dff73
SHA1 hash:
cff5d9f94b4734a01a469112e9b3b23bbc3d0914
Link:
https://www.unpac.me/results/0857112c-b32c-43cb-88f0-921ff0225893/
SH256 hash:
d02dd5a8aa804e5cdde78684e4d40bba17c0ec143503e9ea5cbe2b27a95a8117
MD5 hash:
c191b61cebdd664beb166c164560d845
SHA1 hash:
195f6b1a213f9b03f1ada616a516924e4aa926d0
Link:
https://www.unpac.me/results/0857112c-b32c-43cb-88f0-921ff0225893/
SH256 hash:
4a068924a4106e66638ee4dadc8b10983fa6ce86d366fe9236dd0352b9e09397
MD5 hash:
359106c3cbff175b2eb39d6ab5d23d69
SHA1 hash:
a7c7e2a84d5a5382c581adfee3318809f9ac791c
Link:
https://www.unpac.me/results/0857112c-b32c-43cb-88f0-921ff0225893/
SH256 hash:
d3dd9549ed1b34c216cee4264e72da30cf7d17b850bab3d7e4fa67a35184a62d
MD5 hash:
e365933f4273245292348f94b5d8cb21
SHA1 hash:
d9856292db20c199f71782cfe3542c13b8e60ecd
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0857112c-b32c-43cb-88f0-921ff0225893/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/28f959fc9483/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 28f959fc9483c245c25c6beedc3f449913aeeef3810e43bfb251bc7cb3a998f9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48159/

Comments