MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473
SHA3-384 hash: 91e1620799d3823df6d93ca21d5035813abcb42165d9fe7d2fa5435d4c017d7cb40f5d49c01167d297b708e9cae56403
SHA1 hash: 778bcd9b2009eaa99f417e7b3abd704e668bff15
MD5 hash: fed805da5a927305df6b42819ca81939
humanhash: edward-delaware-stairway-fillet
File name:payment advise0006987.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:4'355'584 bytes
First seen:2025-08-24 22:26:39 UTC
Last seen:2025-09-01 12:41:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b7ffd79dc00c4d8ff5ead32b13c5aa69 (1 x Formbook)
ssdeep 49152:GUyUauw+Tm9CiHam9Or6r3bntyGl29qAg0PL05X8orDABtmPZ1la6OoQ2I21j1F6:BrrkLrVminLIwlf2K1Fc
Threatray 177 similar samples on MalwareBazaar
TLSH T13516BE18A3E901B4E437DA78CA66C333D6B178915735C14F0A98E61A2F339909F7FB25
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
3
# of downloads :
78
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
payment advise0006987.exe
Verdict:
No threats detected
Analysis date:
2025-08-24 22:28:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0e115b84-ca54-4711-b9e4-bca9def17330

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23301/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ab91de6eed937d746d8721
Tags:
emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68ab91df7137d684583a49b8/reports/d6c1718b-9bfa-481a-9a34-23969afff0bd/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-08-24T03:06:00Z UTC
Last seen:
2025-08-24T03:06:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8fea30fb-f48a-4215-a157-f5871f43af30
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1764161
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1764161 Sample: payment advise0006987.exe Startdate: 25/08/2025 Architecture: WINDOWS Score: 100 31 www.br199805.xyz 2->31 33 www.zavico.life 2->33 35 18 other IPs or domains 2->35 43 Suricata IDS alerts for network traffic 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected FormBook 2->47 49 Initial sample is a PE file and has a suspicious name 2->49 11 payment advise0006987.exe 2->11         started        signatures3 51 Performs DNS queries to domains with low reputation 31->51 process4 signatures5 61 Writes to foreign memory regions 11->61 63 Allocates memory in foreign processes 11->63 65 Injects a PE file into a foreign processes 11->65 14 ngen.exe 11->14         started        process6 signatures7 67 Maps a DLL or memory area into another process 14->67 17 qpy0xVNVQ.exe 14->17 injected process8 process9 19 logman.exe 13 17->19         started        signatures10 53 Tries to steal Mail credentials (via file / registry access) 19->53 55 Tries to harvest and steal browser information (history, passwords, etc) 19->55 57 Modifies the context of a thread in another process (thread injection) 19->57 59 3 other signatures 19->59 22 vgZgJXV1Mfc79.exe 19->22 injected 25 chrome.exe 19->25         started        27 firefox.exe 19->27         started        process11 dnsIp12 37 livelens.click 15.197.225.128, 49722, 49768, 49769 TANDEMUS United States 22->37 39 www.ecolink.group 212.227.172.253, 49760, 49761, 49762 ONEANDONE-ASBrauerstrasse48DE Germany 22->39 41 9 other IPs or domains 22->41 29 WerFault.exe 4 25->29         started        process13
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/fed805da5a927305df6b42819ca81939
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473/
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-08-24 06:54:57 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=llnoa7voz7nz4w7oogyrsvdqpgunnbnoargrzu2shpyhjiwmwrzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
199356a613dcda9b44fd3f71d86072d28a5fd48c18587447019b7b99d45973ef
Formbook
269cbeb0b3a06e007c94d265e43cd0ecaf8d7e5502eec85f2ec0679bf155dd74
Formbook
50c0d11e8f7153f1129643673ded00e74fe4cb9e929b0a97d9c5bcf983805e41
Formbook
586d073654d0ffed1e967ccc27f58168148857094039a110f43084177e4b083f
Formbook
5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473
Formbook
87839de578611fa6fd31f537bf3107e7b7471ee271dc458372ba6efd962f4056
Formbook
ded67530b43d631ec743606859227570de9e18ce9d61a72b2641fdaff6dc78e6
Formbook
error
Formbook
f1072b6f2cef8a84384f1d3d5f64905640d41be85aa4966cbf6ada530be721ac
Formbook
fe2ffc367b1dc62198c5b5f8d4a6d6548b69e23d6e4fc1512e6670b559ef722c
Formbook
+ 167 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250824-2ddwesyzdv/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/225f1e83-dcc5-442f-8c8b-31c3188bef2b
Unpacked files
SH256 hash:
5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473
MD5 hash:
fed805da5a927305df6b42819ca81939
SHA1 hash:
778bcd9b2009eaa99f417e7b3abd704e668bff15
Link:
https://www.unpac.me/results/f20efa97-9eaf-4920-9378-79f1e362cd8e/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5adae07eaecf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 5adae07eaecfdb9e5bee71b119547079a8d685ae044d1cd3523bf074a2ccb473

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23301/

Comments