MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875
SHA3-384 hash: 82b0b545dd23b037a57004bd591add46243b5348eaaac07980cdfded473dec2bd10f812e59000ace1abc1bcc55abad9b
SHA1 hash: b26bd746b74422dfedc48b242c5d972badc5c8ec
MD5 hash: fa487e78d5bf33bca1a4dde6c42758db
humanhash: shade-east-uncle-sweet
File name:PI-INQ-3001 & 3002.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:432'866 bytes
First seen:2026-05-15 08:46:25 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12288:/RNb2aioEq5JAWbOiWnXMCOCZeLdD5FHqJ6nH6HXm:3b2SEubO/MCOel8Hq2
Threatray 2'399 similar samples on MalwareBazaar
TLSH T1299423E61ACA448941F44167DB56A412B749D2FBEB3DF445A1EF008F0039BDFFB9181A
TrID 50.0% (.BIB/BIBTEX/TXT) BibTeX references (5500/1/2)
50.0% (.MSS) Scribe Markup (5500/1/2)
Magika batch
Reporter lowmal3
Tags:bat FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
DE DE
Vendor Threat Intelligence
Malware configuration found for:
BatchScript
Details
Link:
https://research.acce.ciphertechsolutions.com/results/304d6f8a-ceb6-40dc-9882-0110b177c3c8/
Malware family:
n/a
ID:
1
File name:
bat
Verdict:
No threats detected
Analysis date:
2026-05-15 08:47:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a17562e3-dce8-44d5-93b5-75fe0ecc016d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/66005/
Detection(s):
SecuriteInfo.com.BAT.Starter.741.26331.14061.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a06dd6f46d6967b3d9074af
Tags:
dropper shell
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 base64 batch batloader crypto evasive formbook obfuscated packed powershell xworm
Link:
https://www.filescan.io/uploads/6a06dd6811d01437268aaadc/reports/8af10bea-135f-41da-b77b-e17eacc2ce6a/overview
Verdict:
Malicious
Labled as:
BAT/Obfuscated.AR trojan
Link:
https://www.hybrid-analysis.com/sample/2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875
Verdict:
Malicious
File Type:
unix shell
First seen:
2026-05-12T21:40:00Z UTC
Last seen:
2026-05-16T03:45:00Z UTC
Hits:
~100
Detections:
Trojan.BAT.Agent.sb HEUR:Trojan.BAT.Obfus.gen
Link:
https://opentip.kaspersky.com/2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875/results?tab=lookup
Result
Threat name:
DonutLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1913908
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected DonutLoader
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875/
Verdict:
Malicious
Threat:
Trojan.BAT.Obfus
Link:
https://tip.neiki.dev/file/2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875
Threat name:
Script-BAT.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-05-13 03:46:53 UTC
File Type:
Text
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fqzoi2sxb6fyoye7niqhhpe432d422ju4atckeo537oxfo34zb2q._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
1bf18f545a82c0ecc165e076258bfc505cc46b7faac2a527c6772bb455530425
Formbook
2340cf1b85773967eed1a6719425a6a1c210a7bc51edb77c2e82b73142f95bb3
Formbook
37f29dc9c4be3882314edf6c663e77ef711a719ed7b5d4256ed2423cfbc0ca61
Formbook
908dac68fba5fde5f21c975a69cde84bbc3d7c2bbaad5e6f9b709d32b27276a4
Formbook
9ad0d98bbf8b5df4df29d24bf84fb1b2e10d35d9f4d8824afac4b140fbe57621
Formbook
ae4506ade7e693e10580570cd6a6835138ebc99a9a1aaad36c19aad2a18d5dc0
Formbook
b5c978f16a11c1bc6589e5b4b78d08fec1cea4cf2df5df9c67b1eda26e485f6d
Formbook
eb92fd512aced6503edbe52a19c8b5d225e18fa65a079e250c8ddb90f387c4d4
Formbook
error
Formbook
+ 2'389 additional samples on MalwareBazaar
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Batch (bat) bat 2c32e46a570f8b87609f6a2073bc9cde87cd6934e0262511dddfdd72bb7cc875

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/66005/

Comments