MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3
SHA3-384 hash: 6ea8d4e5ac32f840fe59a3d8cf658e3367498730128b99ec1bdf1700b2e9bf2e437ee25e26ea6719353be25dac9c26bd
SHA1 hash: 0088e846166ada9d91ee6f708cbeb8f1d0c7f5b7
MD5 hash: 0ebe19e549781865af5659e40132094c
humanhash: zebra-fish-blue-may
File name:Pending Payments.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:722'944 bytes
First seen:2025-04-11 13:55:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:ZIiKV/9THVDLs+My2m4ey3VA/pWUcoaculi/NT31FJh/uc3Z:ZYps+aeIVAxWUcoaZi/R37u
Threatray 4'245 similar samples on MalwareBazaar
TLSH T1C1F402282269CA06D0944BF44E72C7F467786F8CA416D75BDFDAADDFB43A7480809363
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 0086968630706000 (3 x Formbook, 3 x AgentTesla, 3 x MassLogger)
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
481
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pending Payments.exe
Verdict:
Suspicious activity
Analysis date:
2025-04-11 13:57:31 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/992b18d7-d893-4e95-a11d-71fc48471f23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/1869/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f926dfd6e7c3effad00ef0
Tags:
micro spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/67f91f7b2d430c849e13ee1f/reports/beef1c47-2bf7-477d-beba-07ac33246223/overview
Verdict:
Malicious
Labled as:
Genie.8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a6cb1ba3-0a73-45b7-b7f7-9420ad9e45a8
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1663239
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663239 Sample: Pending Payments.exe Startdate: 11/04/2025 Architecture: WINDOWS Score: 100 58 www.vczuahand.xyz 2->58 60 www.irebel.xyz 2->60 62 16 other IPs or domains 2->62 74 Suricata IDS alerts for network traffic 2->74 76 Antivirus detection for URL or domain 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 82 9 other signatures 2->82 10 Pending Payments.exe 7 2->10         started        14 jzqRAjGN.exe 5 2->14         started        signatures3 80 Performs DNS queries to domains with low reputation 60->80 process4 file5 50 C:\Users\user\AppData\Roaming\jzqRAjGN.exe, PE32 10->50 dropped 52 C:\Users\...\jzqRAjGN.exe:Zone.Identifier, ASCII 10->52 dropped 54 C:\Users\user\AppData\Local\...\tmp1F33.tmp, XML 10->54 dropped 56 C:\Users\user\...\Pending Payments.exe.log, ASCII 10->56 dropped 88 Adds a directory exclusion to Windows Defender 10->88 16 Pending Payments.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        27 3 other processes 10->27 90 Multi AV Scanner detection for dropped file 14->90 23 jzqRAjGN.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 16->70 29 n0DyRodu02YzZCU.exe 16->29 injected 72 Loading BitLocker PowerShell Module 19->72 31 WmiPrvSE.exe 19->31         started        33 conhost.exe 19->33         started        35 conhost.exe 21->35         started        37 n0DyRodu02YzZCU.exe 23->37 injected 41 conhost.exe 25->41         started        process9 dnsIp10 43 raserver.exe 13 29->43         started        64 www.ax777.top 160.124.31.74, 49720, 49721, 49722 POWERLINE-AS-APPOWERLINEDATACENTERHK South Africa 37->64 66 zohrablends.shop 162.0.232.14, 49704, 49705, 49706 NAMECHEAP-NETUS Canada 37->66 68 7 other IPs or domains 37->68 84 Maps a DLL or memory area into another process 37->84 86 Found direct / indirect Syscall (likely to bypass EDR) 37->86 46 raserver.exe 37->46         started        signatures11 process12 signatures13 92 Tries to steal Mail credentials (via file / registry access) 43->92 94 Tries to harvest and steal browser information (history, passwords, etc) 43->94 96 Modifies the context of a thread in another process (thread injection) 43->96 98 3 other signatures 43->98 48 firefox.exe 43->48         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2025-04-11 09:04:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=quwif64om4q6mqbnj4wthb2hxitqi2v5eyydtq33svubjgz5aczq._file
Verdict:
malicious
Label(s):
captiveaaloader
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
761766237d7a8d58a5cdf2aa5ccace247b724d033d3196bc441c6a9c31717561
Formbook
7ac2afbdd0bdfed4481c49171a5c4e814a3ad878b8887fa2594a011620e49b3d
Formbook
99af728a80e56652b6622bc371fd9a6cc4702e2c5598918c42eee05681850d2b
Formbook
b8c36a5b681b071cc8c8a34fa1d1656b705dbe1f433706b386b78fd73ef6e884
Formbook
dbbf0fd1d25e6411faddab4b2f689dcffd04ce06642e1319f9d6fb00a2c343ca
Formbook
+ 4'235 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250411-q8rj8a1n17/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/618c07e8-5474-4d70-a819-c9d0f7d71f42
Unpacked files
SH256 hash:
852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3
MD5 hash:
0ebe19e549781865af5659e40132094c
SHA1 hash:
0088e846166ada9d91ee6f708cbeb8f1d0c7f5b7
Link:
https://www.unpac.me/results/bbd31609-1920-40d3-8d65-a5e98a7ccbdc/
SH256 hash:
bd0d1a9d9879bfa195b03fa462970b4f3015861233566782114138e2b4c667e3
MD5 hash:
03c1d3d442e6ebd1b25b142542385e0b
SHA1 hash:
2c126ce646440bc3b00c6137e06a0ce29e941ebf
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bbd31609-1920-40d3-8d65-a5e98a7ccbdc/
SH256 hash:
fab74c4cae561d0518924707e4d166ca4040eb17cbedf92cb60f7ea90071743a
MD5 hash:
9ebde08a52c1ef2fcad61b0bcaec8509
SHA1 hash:
471a8316860b48e7c53327e79b0c513ce3e42cf3
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bbd31609-1920-40d3-8d65-a5e98a7ccbdc/
Parent samples :
7d5a65180b375a682fce901b2152bd786ab3acba473f2f12e5c9d861f6ec3989
852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3
SH256 hash:
fc6a7b7434959c332e8b7317dee8a2a58afaec69cf9b082efc66b0147cd2d213
MD5 hash:
dc9eab82ccf334b0074a9cdec0674a37
SHA1 hash:
6e8b3478e7b5983f6902e6fd46a8a7bfbf3d1015
Link:
https://www.unpac.me/results/bbd31609-1920-40d3-8d65-a5e98a7ccbdc/
SH256 hash:
f146c7c1ae2e334bc8fe1d328551104cda52694680b930eef422f6e227762afe
MD5 hash:
ece3e1674973c51c9e19f1abfe4df076
SHA1 hash:
e8ace2521027642d5ff1d46473e360c9924d3e60
Detections:
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/bbd31609-1920-40d3-8d65-a5e98a7ccbdc/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/852c82fb8e67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 852c82fb8e6721e6402d4f2d338747ba27046abd263039c37b9568149b3d00b3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/1869/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments