MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
SHA3-384 hash: 571ff0ba1454aca6295d20c1f1a39783c464b9508afd95387e8aaf19d805361e7547cfaf387d16e57460cef3ef6336bb
SHA1 hash: fb294a70a2138f7e970443df942f56987aec42d9
MD5 hash: 64468891cd7fc5736588761a3655f2b6
humanhash: gee-minnesota-pennsylvania-delaware
File name:Payment Confirmation copy.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:785'408 bytes
First seen:2025-07-09 07:44:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:qFAkO9AFtK1fzigsnFha8WGsGgSDAcw3gu0gtVoYtdN9bl13uMEEEisW0:xkQCtKDsFhap5CrLgkMb13zEvi10
Threatray 11 similar samples on MalwareBazaar
TLSH T15BF401337648F522CCA163754268D3B912B8AF889523C38349F9FDB77E55AE22DC45C2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon e4b4b4f2d8ece0e0 (7 x AgentTesla, 1 x DarkCloud, 1 x RedLineStealer)
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
31
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PaymentConfirmationcopy.exe
Verdict:
No threats detected
Analysis date:
2025-07-09 07:47:17 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/eecbf28a-34fb-4736-97b0-9b8cd8f507f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13644/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686e1dd9900df8e7f868e260
Tags:
shell msil sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/22801c15-4f4b-4500-b897-5700b71f76a9
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1731613
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1731613 Sample: Payment Confirmation copy.exe Startdate: 09/07/2025 Architecture: WINDOWS Score: 100 46 www.protocolvirtual.xyz 2->46 48 www.filehorse.online 2->48 50 6 other IPs or domains 2->50 58 Suricata IDS alerts for network traffic 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Yara detected FormBook 2->62 66 8 other signatures 2->66 10 Payment Confirmation copy.exe 4 2->10         started        14 svchost.exe 1 1 2->14         started        signatures3 64 Performs DNS queries to domains with low reputation 46->64 process4 dnsIp5 38 C:\...\Payment Confirmation copy.exe.log, ASCII 10->38 dropped 68 Adds a directory exclusion to Windows Defender 10->68 70 Injects a PE file into a foreign processes 10->70 17 Payment Confirmation copy.exe 10->17         started        20 powershell.exe 23 10->20         started        22 SIHClient.exe 6 10->22         started        24 Payment Confirmation copy.exe 10->24         started        52 127.0.0.1 unknown unknown 14->52 file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 17->54 26 gZEc0dKXbsAK.exe 17->26 injected 56 Loading BitLocker PowerShell Module 20->56 28 conhost.exe 20->28         started        process10 process11 30 takeown.exe 13 26->30         started        signatures12 72 Tries to steal Mail credentials (via file / registry access) 30->72 74 Tries to harvest and steal browser information (history, passwords, etc) 30->74 76 Modifies the context of a thread in another process (thread injection) 30->76 78 3 other signatures 30->78 33 UX28yxbc.exe 30->33 injected 36 firefox.exe 30->36         started        process13 dnsIp14 40 www.dul4dv.cfd 104.21.47.67, 49696, 49697, 49698 CLOUDFLARENETUS United States 33->40 42 www.filehorse.online 199.59.243.228, 49692, 49693, 49694 BODIS-NJUS United States 33->42 44 www.epilepsy.pro 13.248.169.48, 49691, 49700, 49701 AMAZON-02US United States 33->44
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable PDB Path PE (Portable Executable) SOS: 0.02 Win 32 Exe x86
Link:
https://app.malva.re/file/64468891cd7fc5736588761a3655f2b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc/
Verdict:
Malicious
Threat:
ByteCode-MSIL.Spyware.Negasteal
Link:
https://tip.neiki.dev/file/832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Suspicious
First seen:
2025-07-09 02:59:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qmv6dn6spkljelw5ntfyx53r2l3763os7ona45tghflmftucbk6a._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
Similar samples:
27cc7ce2c2328a5082ce11cc27fcc2240c48e013423269b12fca82d5797e4d1b
Formbook
5538bf66572560a066e4187d013e458a2af4323a7a5de87ff87968765e466ab4
Formbook
567ecfd55cb1b071e3584c93c411ed821377e9d5f446bbe7b70f8afed7a3dd42
Formbook
832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
Formbook
94163acffdebc6200200d28240e4c3e92302b32b68cf06e0beca98e42edf2bed
Formbook
ea2232c0ea11a5a8743e15a262576447424c3353bf882089f3c0bd8cb546a80b
Formbook
ebd2046bad994314fb7af77d32ddc47327100bd8b9607bc7567dfcf2bf701e32
Formbook
error
Formbook
+ 1 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250709-jk1dwsdq2t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c3a7e0c0-2f7d-4755-b751-c60ea57b6382
Unpacked files
SH256 hash:
6c2d57f95c299f1935f40d1a9da87a35e3686d6fae289f5f08aed07cd1003963
MD5 hash:
ed3c77b359e09ea8a8618e12e8c4f0ac
SHA1 hash:
3ee3419cbf2ad8d34577dfe1e11863d8d9b5869c
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/ddc5bdf1-c015-4167-beb0-10bee3a915bc/
Parent samples :
832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
99af7f40f9c9d858aa4ba32ab0f5253b72f0739daf57f6c8cd479d6a7fc45ecf
SH256 hash:
d64547e49ef03a183c78f573879100b316aba3703db5a034794f7ac7002b40c2
MD5 hash:
05274afa2f377ddc3345a828b73325ae
SHA1 hash:
952a6f5373390b2a0ced5f9c9c5168d1d2fe95ce
Link:
https://www.unpac.me/results/ddc5bdf1-c015-4167-beb0-10bee3a915bc/
SH256 hash:
e4e1fa76d3eb0bc1e1588b72a6073b07118f508601302c5be4cc6b575843b2b6
MD5 hash:
6533d4c0a1afcfb4e9eb5c576bff3388
SHA1 hash:
a127c9ee408c74043528e6b28e96c5043f103643
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/ddc5bdf1-c015-4167-beb0-10bee3a915bc/
SH256 hash:
5bc45471e42e7206baaafb17cca5c286d5f178976018ea909060709ea312e65e
MD5 hash:
ebeadfc84ce9cf835486a1f30944792e
SHA1 hash:
3b67492d5150f49652d1a6e55fb2d485e544c733
Link:
https://www.unpac.me/results/ddc5bdf1-c015-4167-beb0-10bee3a915bc/
SH256 hash:
832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc
MD5 hash:
64468891cd7fc5736588761a3655f2b6
SHA1 hash:
fb294a70a2138f7e970443df942f56987aec42d9
Link:
https://www.unpac.me/results/ddc5bdf1-c015-4167-beb0-10bee3a915bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 832be1b7d27a96922edd6ccb8bf771d2f7ff6dd2fb9a0e76663956c2ce820abc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13644/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments