MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
SHA3-384 hash: 2cf7049ae9efde15243c2577750f6aba4c4c396d63d9d37c313d380b4ea5592521b4ef1af108046cab70b8fdeb6e6ac8
SHA1 hash: 197cf72a0718e1f10fd447648c22a1ee5f3ad75c
MD5 hash: 9ad804c7432ad16d21e0bd3a0a01bc92
humanhash: don-tennis-aspen-india
File name:INVOICE.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:768'512 bytes
First seen:2025-09-29 10:10:23 UTC
Last seen:2025-10-09 15:12:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:8CcFQKDqOqYGUkISrYEfBYQQVy7YKz0LxAVMMzkSYz4OixPFLKdDsEC:mQ8qtICac7vzmCzkSRVxtLnB
Threatray 1'555 similar samples on MalwareBazaar
TLSH T1E1F4029463BAEF06E0BA0BF90530D7740775ADA9B811E2064EFAACDB7839B402C45753
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter cocaman
Tags:exe FormBook payment

Intelligence

File Origin
# of uploads :
5
# of downloads :
112
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
INVOICE.r15
Verdict:
Malicious activity
Analysis date:
2025-09-29 10:11:46 UTC
Tags:
arch-exec formbook stealer xloader
Link:
https://app.any.run/tasks/5fee36c4-0d6e-45da-9c3c-568e98a6808f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29407/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d5537d1e4783989051f578
Tags:
injection blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68da5b286c140e5b35ff39a8/reports/928136a8-1eab-4818-ada8-aa94cc5e3dad/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-29T04:39:00Z UTC
Last seen:
2025-09-29T04:39:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Convagent.gen Trojan-Spy.Noon.HTTP.ServerRequest PDM:Trojan.Win32.Generic HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb
Link:
https://opentip.kaspersky.com/3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed33a84a-529a-4e56-93a4-2835dedbce7a
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785778
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785778 Sample: INVOICE.exe Startdate: 29/09/2025 Architecture: WINDOWS Score: 100 44 www.yourcarrier.xyz 2->44 46 www.whalesapp.xyz 2->46 48 10 other IPs or domains 2->48 72 Antivirus detection for URL or domain 2->72 74 Antivirus / Scanner detection for submitted sample 2->74 76 Multi AV Scanner detection for submitted file 2->76 80 7 other signatures 2->80 10 INVOICE.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 78 Performs DNS queries to domains with low reputation 46->78 process4 dnsIp5 42 C:\Users\user\AppData\...\INVOICE.exe.log, ASCII 10->42 dropped 82 Writes to foreign memory regions 10->82 84 Allocates memory in foreign processes 10->84 86 Adds a directory exclusion to Windows Defender 10->86 88 Injects a PE file into a foreign processes 10->88 17 MSBuild.exe 10->17         started        20 powershell.exe 23 10->20         started        22 svchost.exe 10->22         started        56 127.0.0.1 unknown unknown 14->56 file6 signatures7 process8 signatures9 66 Maps a DLL or memory area into another process 17->66 24 oDNEsfV3.exe 17->24 injected 68 Loading BitLocker PowerShell Module 20->68 26 WmiPrvSE.exe 20->26         started        28 conhost.exe 20->28         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 22->70 30 MpCmdRun.exe 2 22->30         started        process10 process11 32 wlanext.exe 13 24->32         started        35 conhost.exe 30->35         started        signatures12 58 Tries to steal Mail credentials (via file / registry access) 32->58 60 Tries to harvest and steal browser information (history, passwords, etc) 32->60 62 Modifies the context of a thread in another process (thread injection) 32->62 64 3 other signatures 32->64 37 7ymzeLAVwMvD2L.exe 32->37 injected 40 firefox.exe 32->40         started        process13 dnsIp14 50 www.yourcarrier.xyz 99.83.161.153, 49689, 49699, 49700 AMAZON-02US United States 37->50 52 programavidaverde.shop 84.32.84.32, 49707, 49708, 49709 NTT-LT-ASLT Lithuania 37->52 54 3 other IPs or domains 37->54
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.44 Win 32 Exe x86
Link:
https://app.malva.re/file/9ad804c7432ad16d21e0bd3a0a01bc92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-29 08:10:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gge2fkctbmtpq6shyykp3ck6df6x7uh4beak5bkrwrarjmtx33ea._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
1a1e4f5e5b668ea14d3cfc4f3e65d8638cefe7acc82378245d6b28db9a070d31
Formbook
29688877a36107747d055f72f6760d360a6f3715ef32d90f46815838b56e18dc
Formbook
5f9b01b88c7faf63239a79405c1f7c5521b9cfd1934c659a8c56345ad1549d17
Formbook
8c0cd5bdae1355f8bc7f7af9102fb77eb8b52e432cdbe17c27456be4af1082ab
Formbook
a4e1ceb8458e0bca4119adb33ded5b1ef154f0ba69594b2079fbbcfb48cbe4ce
Formbook
ad0a87e7d15323230f7732b7d734abe976d5e6b4e32ec086e7892ca0f67acfe7
Formbook
bce46d675d57b09b2bf85f109ab3cdd12c7894519b8ba37426601dd18eb03671
Formbook
c55443835b9da7ef3fd8e804969c806713c352c5fbdbe8e673e348f9588e7189
Formbook
error
Formbook
fb950059d4dbf088a3f81339ba49bb503db94d915f1dc5707eaed1bffe7ba263
Formbook
+ 1'545 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250929-l7pl1szvgv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a99f69c5-2ef2-49fc-a47c-7c33175d9921
Unpacked files
SH256 hash:
3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8
MD5 hash:
9ad804c7432ad16d21e0bd3a0a01bc92
SHA1 hash:
197cf72a0718e1f10fd447648c22a1ee5f3ad75c
Link:
https://www.unpac.me/results/6af4e2fd-4231-469c-86b5-af3637d98ce8/
SH256 hash:
ba62e7e89557bb426f1813b06a062db822e8d0141e93936d132b58fd4382af44
MD5 hash:
9c25fef6456290916a73792f1e2f8e54
SHA1 hash:
3bc346d1f860801cf5aaed37014a2efca9170791
Link:
https://www.unpac.me/results/6af4e2fd-4231-469c-86b5-af3637d98ce8/
SH256 hash:
f7b55edef63e49793f4bee5657464310562e2e5c9f4ad8d39764cc2bd4b8cbb1
MD5 hash:
666353f0798ebdf250512f14f7ce7a41
SHA1 hash:
8736db444e1c1a503b2f5346c6594b02584e5ddd
Link:
https://www.unpac.me/results/6af4e2fd-4231-469c-86b5-af3637d98ce8/
SH256 hash:
6370668debd684eec940972d5730516ded91e4d284a793bfce76c1fa9105d64e
MD5 hash:
05cb20e00eca33fcd5aadea965dec398
SHA1 hash:
dc3e40777b5783a53b604b97169e362d27ae20a8
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/6af4e2fd-4231-469c-86b5-af3637d98ce8/
SH256 hash:
fae3fe1a1c49b3df491ce0db82f943afa346ddd580e9f61eda913fcc1c5a5b82
MD5 hash:
c17512299a56fc64e23fa3e1b35699df
SHA1 hash:
a7faee9c891d2004594a4e76df9232ac6af96bb5
Link:
https://www.unpac.me/results/6af4e2fd-4231-469c-86b5-af3637d98ce8/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3189a2a8530b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar 50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1

Formbook

Executable exe 3189a2a8530b26f87a47c614fd895e197d7fd0fc0900ae8551b44114b277dec8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 50756b5cbf522662f76022571c154d9ae013b796482240b7f88ff874a7c4d5e1
Cape
Cape
https://www.capesandbox.com/analysis/29407/
  
Dropped by
MD5 867ecfbb8cb26a736348165181258b2e

Comments