MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments

SHA256 hash:	402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133
SHA3-384 hash:	cfe3c04b9caae4cd833afa5b3958152eb1058652b4ee05f1abc1cce52d5cf70b19cfe9f8da45b55b376f27a9d2ac5dac
SHA1 hash:	48707b1abb042ef13111eb404ea361f192fcc07a
MD5 hash:	8097f8655e3e3a5d2009f7f53c86c81e
humanhash:	gee-charlie-march-washington
File name:	PAYMENT COPY.bat.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	508'866 bytes
First seen:	2025-10-16 13:23:12 UTC
Last seen:	2025-10-16 17:49:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e2a592076b17ef8bfb48b7e03965a3fc (398 x GuLoader, 59 x RemcosRAT, 45 x AgentTesla)
ssdeep	6144:OspNjlsi0ZvYSMRMuVlbIRvxdG2PUx7ca+9S5EmOkeR7R3GMbJ7fWYircDz+OYht:Ocux3y7Y1kej3GMbrDKOYhdrHb
Threatray	2'133 similar samples on MalwareBazaar
TLSH	T144B402413628D557EC644532B9A780EB7BB0AC698FA46556324AFF3F88B5322C50F32D
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PAYMENT COPY.bat.exe

Verdict:

Suspicious activity

Analysis date:

2025-10-16 13:23:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b143efd3-b3e7-4fa1-be76-9c088584e6d2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33088/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f0f1e272d478f90598545d

Tags:

shellcode injection

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Creating a file

Delayed reading of the file

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug blackhole installer masquerade microsoft_visual_cc nsis overlay

Link:

https://www.filescan.io/uploads/68f0f1dd057c46a471cf6e34/reports/4658a78e-c61c-41f9-94cc-2918e43330c6/overview

Verdict:

Malicious

Labled as:

HEUR/AGEN.1381065

Link:

https://www.hybrid-analysis.com/sample/402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-16T07:48:00Z UTC

Last seen:

2025-10-18T11:42:00Z UTC

Hits:

~1000

Detections:

Packed.NSIS.Krynis.sb Trojan.Win32.GuLoader.sb Trojan.NSIS.Pakes.Krynis.sb HEUR:Trojan-Downloader.Win32.Minix.gen Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sba

Link:

https://opentip.kaspersky.com/402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/67891d4d-53ce-41b5-b478-c03a00e9375b

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/8097f8655e3e3a5d2009f7f53c86c81e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-16 10:29:20 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iav43bmohpjrot6y6xorau4mkvtn3a7qqp4boj6q2alc5lmg2ezq._file

Verdict:

malicious

Label(s):

cloudeye

formbook

Formbook

44eb0ca230176e7653e8287dac64b16e4cfde7088635498e52d802d8a3dcb7e9

Formbook

53e3d40438281dbf5e1134d15416f086775173aa7cbdfaa7b85465bf8480cddc

Formbook

6b99c4f6b8babd1543ea649610670d97754414f0ca42564205aa4b08ce8471b4

Formbook

c55443835b9da7ef3fd8e804969c806713c352c5fbdbe8e673e348f9588e7189

Formbook

e1115ce415d73e1edbb8b00b0fef88fdaeb8ebc9d99836752e80531a5c2c833c

Formbook

e6c12bf46df451aaf3f5f02a2e7e2d523660a3ff6b7a60811f769de055ccb1a6

Formbook

error

Formbook

+ 2'123 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/251016-qm315afy9f/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c02fa74c-04a6-4303-bdd9-98c26e5ab8dd

Unpacked files

SH256 hash:

402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133

MD5 hash:

8097f8655e3e3a5d2009f7f53c86c81e

SHA1 hash:

48707b1abb042ef13111eb404ea361f192fcc07a

Link:

https://www.unpac.me/results/01a8e3f4-cc0a-413b-8fc3-99d10a61c8f1/

SH256 hash:

bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

MD5 hash:

17ed1c86bd67e78ade4712be48a7d2bd

SHA1 hash:

1cc9fe86d6d6030b4dae45ecddce5907991c01a0

Link:

https://www.unpac.me/results/01a8e3f4-cc0a-413b-8fc3-99d10a61c8f1/

Malware family:

GuLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/402bcd858e3b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/402bcd858e3bd3174fd8f5dd10538c5566dd83f083f81727d0d0162ead86d133

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/33088/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample