MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 20

Intelligence 20 IOCs YARA 3 File information Comments

SHA256 hash:	69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
SHA3-384 hash:	066162b294a3b4ebc09e852d363211ea66b8e2c3713c612d8e14e966dd5c6c5d26357ccd4a6be26cf1eeac19c089d5d9
SHA1 hash:	e9bfe829a38f26c816eba6e14ca702b990330341
MD5 hash:	6b209e632b47889d69d497aa866f3b05
humanhash:	cat-yellow-salami-low
File name:	rComprovantedep.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	664'576 bytes
First seen:	2025-10-20 16:00:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:3TIt1RF3rkyPLlBnCbBv9XdWMZgZbMCYoV3nQobVT72k/:3TIXRF3gGBAOcA5FVXQobx7R
TLSH	T194E4125EFAADBE22C78D473BC513451541F6C512E662F367109E1CE10E38A84C68BEAF
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	FXOLabs
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

rComprovantedep.exe

Verdict:

Malicious activity

Analysis date:

2025-10-20 16:06:59 UTC

Tags:

formbook stealer xloader

Link:

https://app.any.run/tasks/768cc8c8-20b9-4a38-9adb-ae0106a992d2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/33509/

Verdict:

Malicious

Score:

91.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f65ca7ad6ce0f5ad400a9e

Tags:

spawn shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Setting browser functions hooks

Adding an exclusion to Microsoft Defender

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 config-extracted formbook formbook lolbin msbuild obfuscated obfuscated packed reconnaissance regsvcs rezer0 roboski schtasks vbc vbnet windows zero

Link:

https://www.filescan.io/uploads/68f65ce13a79800405ec943b/reports/a7c99e48-2550-498a-8d52-d8257a072898/overview

Verdict:

Malicious

Labled as:

MSILHeracles.Generic

Link:

https://www.hybrid-analysis.com/sample/69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-20T12:51:00Z UTC

Last seen:

2025-10-22T12:01:00Z UTC

Hits:

~1000

Detections:

Backdoor.Win32.Blakken.sb VHO:Backdoor.Win32.Convagent.gen Trojan.Win32.SpeedBit.sb Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic HEUR:Trojan.MSIL.Taskun.gen Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb

Link:

https://opentip.kaspersky.com/69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/32fe90b4-d4a1-4537-a3f1-4f847ca9a752

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.41 Win 32 Exe x86

Link:

https://app.malva.re/file/6b209e632b47889d69d497aa866f3b05

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-20 16:17:28 UTC

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ngxc5be6jmki7b4wgcxj4osptelaftdkmwg5omw5o5odda45nhha._file

Verdict:

malicious

Label(s):

unc_loader_037

formbook

Similar samples:

error

Formbook

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:gw28 discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/251020-tgem5acj7y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Unpacked files

SH256 hash:

69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

MD5 hash:

6b209e632b47889d69d497aa866f3b05

SHA1 hash:

e9bfe829a38f26c816eba6e14ca702b990330341

Link:

https://www.unpac.me/results/87f69e97-d514-49b1-a8c1-f8f872aadf61/

SH256 hash:

32e80f7936f2612db33ae3cb6b665b14c6f6da651f6f88af9ba10ed2166c21cb

MD5 hash:

efa03d559c61e68a041d83a95aac0b20

SHA1 hash:

101a6a36eee8cc86ce7f18150e1e7e2f37a9d3d8

Link:

https://www.unpac.me/results/87f69e97-d514-49b1-a8c1-f8f872aadf61/

SH256 hash:

82c8931aa23bcfc83d1911d1eef1b6ebae49e547ffcf6795d3228daad2ede550

MD5 hash:

93f56bd9857c235e4a63222c93f94cd7

SHA1 hash:

c1d1ccf6bcb4d07e98a1b04dfd2be6105294a8b9

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/87f69e97-d514-49b1-a8c1-f8f872aadf61/

SH256 hash:

17cf2e3249632d80d852b1f2074abe276836fa6de237e6c44d7eb9b84505e237

MD5 hash:

03fb4ee4e3a854a15e5527b726becca4

SHA1 hash:

15c9f0a3a2f4a1bb231c1ccebccc57fba95752ac

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/87f69e97-d514-49b1-a8c1-f8f872aadf61/

Parent samples :

90addeb56d3d3cd4aa9064861d82f68ed5e501e0149e1915e533d14c67e97e76
cb62a2a1afdbd5d034d28d9fbd0dfd6fb40d986b345b89e3fa8d1866d8ad9a38
3d73ce6df0894382b15b762b63c16b983ded101731112bbbb1a78bdf6faf6226
9d854ef77324e13432f5a59bdc1551e6425c8a5c533ee15a7e497e886636d30a
7b7de9a2694634817a70b23b8dff8fa44e5dbc96c046de82b27e1cce54d252c8
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
94f3a5b7cc5784d0be1f7d4c726ea45c5c84a132f7b86a10dee5d63332c5415a
3f57d382a91d317a9534cdc957cd87407f5515c8950320987338dddb4899aeb8
863cb2092d902c6ca8e04b62654e32c1d21d2f6cfd0c71d287805456bd386746
41e4dd0218aed625e7883bd3dbe43a95796360bda2e2b7fcf020af9fe5e1f1dc
e97233f6c7b7497a0fe4d6a916dde92ade0cc0f92d73e424af88b0bd855b23db
35609862a6c28f3fa0e24dfc564dd3515c539cd1f8387de051055abbaef90ff5
ebc963782a30a3e6cc360a6e4fda16d2acac2de13ee0d8db863082e699dabd5a
0b6626a93de029cfa30a8b9e33aaa49f648bf75d36a8cba9fe199cfae9bb86c0
27541e7a2b03816dc453852b1251e72fae6e6081984e94248d3edb7e13c780e6
3f1bebc7b0ea5164074e72a8f77e3bc133d1d415f5db79c20385b8d5a601a1a0
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
c3157e851e8881640c974074f7f50836c0eaf503a2134719ef1374d7824a449b
099aab7e93cc90414b63769dba429546e4f98953f1c8304f6b8109e6fa0a824e
69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
c34753d6a802dcb3570354a7ecc7e930d957a28cca0d63e698ac0c0cbe67e6cc
44a2b2a04288b8a218d80ea21b9b96de167b844fa7481adfbd48cfdf179aa0df
3988ec66f1954d27508b1a07ca7fe384952aa751f066b6d0c626f54a185e3e41
67018046ca353a77dd60a66c54a2b1db4d82e8f3b3cce6cd7db1de6106c0e30a
889349bbd7bfd22af28916a5da340f36772ae2a6707b324ab666374b47bf9bba
dc969684c8b2051843d1db4048e2b13e366e769dd8e97a1dc63e1dce0ffcb954
532c23e17dcfc3459cc6a1d19cfd1be12b7589ce55558db0dd932426e41f14d3
851777ba5b93dbcb9663559525e069ca084e7e5a5c5111d2a6798bb065b82fc9
adc5532725144b1f28aaf526c1f83fe7ab098a54cdeec6e76de74145a3e793de
8ccd299fea6467b706e5b9108fb8e18c2dfab8fad9b324464f4ff74f067be6ad
195fbfce93f4365587f25a24138d01d03d066cbadaa0fa93e57dfbccca6767ec
23992ab41872ac21dcd499a48a743e51afa43d873d8564a95f03f4a639d3bfbc

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/69ae2e849e4b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe 69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/33509/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample