MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865
SHA3-384 hash: ac687662df0d2bca5230c1cd5cd8106b56b06ae83b78c9451017dc8b6990f69d381e15bec8fe3a54a4a69a3f1f33547b
SHA1 hash: 34516b21022b7f134700d10b88001ef0a59b0c59
MD5 hash: cbb94b5cfcbdf9334a15a0a15dc0b593
humanhash: missouri-enemy-network-north
File name:eeP4e8L80uxhJvL.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:973'824 bytes
First seen:2025-07-02 07:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:XkJ+6BDBptdhbCiQdeC9opjxH2rFsvprnWzvJfRgIobjBlnLaHA8sb+g6pwfsr7e:gdeeC+WSvdWzvJ5gIox56A8Ogwo
TLSH T1CE25E02937EC6B41E07A8BB955A4E13027F5394D642BE34D8EC228D73DB6B410B1B71B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter lowmal3
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
24
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/11942/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6864e5a8c9eb9747376551a2
Tags:
stration spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/6864e5b1320dea0dabb71a71/reports/59a41bda-831c-4790-a132-391dbf719493/overview
Verdict:
Malicious
Labled as:
Genie8DN.Generic
Link:
https://www.hybrid-analysis.com/sample/889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cab6368d-4ddc-4489-8984-b67d1b86c63d
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726987
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726987 Sample: eeP4e8L80uxhJvL.exe Startdate: 02/07/2025 Architecture: WINDOWS Score: 100 62 www.planningstake.xyz 2->62 64 www.moondyor.xyz 2->64 66 17 other IPs or domains 2->66 74 Suricata IDS alerts for network traffic 2->74 76 Sigma detected: Scheduled temp file as task from temp location 2->76 78 Multi AV Scanner detection for submitted file 2->78 82 5 other signatures 2->82 10 eeP4e8L80uxhJvL.exe 7 2->10         started        14 VZjbAR.exe 5 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 80 Performs DNS queries to domains with low reputation 64->80 process4 dnsIp5 52 C:\Users\user\AppData\Roaming\VZjbAR.exe, PE32 10->52 dropped 54 C:\Users\user\...\VZjbAR.exe:Zone.Identifier, ASCII 10->54 dropped 56 C:\Users\user\AppData\Local\...\tmp32FF.tmp, XML 10->56 dropped 58 C:\Users\user\...\eeP4e8L80uxhJvL.exe.log, ASCII 10->58 dropped 88 Uses schtasks.exe or at.exe to add and modify task schedules 10->88 90 Adds a directory exclusion to Windows Defender 10->90 92 Injects a PE file into a foreign processes 10->92 19 eeP4e8L80uxhJvL.exe 10->19         started        22 powershell.exe 23 10->22         started        24 powershell.exe 23 10->24         started        26 schtasks.exe 1 10->26         started        94 Multi AV Scanner detection for dropped file 14->94 28 schtasks.exe 1 14->28         started        30 VZjbAR.exe 14->30         started        60 127.0.0.1 unknown unknown 16->60 file6 signatures7 process8 signatures9 84 Maps a DLL or memory area into another process 19->84 32 SNyAqOMV.exe 19->32 injected 86 Loading BitLocker PowerShell Module 22->86 34 WmiPrvSE.exe 22->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        process10 process11 44 getmac.exe 32->44         started        signatures12 96 Tries to steal Mail credentials (via file / registry access) 44->96 98 Tries to harvest and steal browser information (history, passwords, etc) 44->98 100 Modifies the context of a thread in another process (thread injection) 44->100 102 3 other signatures 44->102 47 EZXWi436nWAp.exe 44->47 injected 50 firefox.exe 44->50         started        process13 dnsIp14 68 www.booksforchildren.store 103.224.182.242, 49720, 49721, 49722 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 47->68 70 www.chickenweed.net 66.81.203.198, 49716, 49717, 49718 CONFLUENCE-NETWORK-INCVG Virgin Islands (BRITISH) 47->70 72 10 other IPs or domains 47->72
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/cbb94b5cfcbdf9334a15a0a15dc0b593
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865/
Threat name:
Win32.Trojan.Genie8DN
Create hunting rule
Status:
Malicious
First seen:
2025-07-02 05:13:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rclqts6x7lpka3fk7fjt3t6inehmekjzm5y43huwgjupzpn6zbsq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250702-jrm25stxcx/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/16603747-ad72-4cba-816a-bc3ec831f1a3
Unpacked files
SH256 hash:
889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865
MD5 hash:
cbb94b5cfcbdf9334a15a0a15dc0b593
SHA1 hash:
34516b21022b7f134700d10b88001ef0a59b0c59
Link:
https://www.unpac.me/results/c31a32fd-b709-4b77-bebd-11c50b751013/
SH256 hash:
21084e7d59fe3c16368145d23119670c85ce98ff234e52508861919f8e8c2d7c
MD5 hash:
0316825c6b2dc185f76ac73f7298b7a0
SHA1 hash:
5a0c7bafe313b9c165e529e3817435f596724073
Link:
https://www.unpac.me/results/c31a32fd-b709-4b77-bebd-11c50b751013/
SH256 hash:
828458271e77be92fc6c9b0eb01938a6bedd4089bcb19d95d53550499c4ed96e
MD5 hash:
104df31ff1a52720037394f61421695a
SHA1 hash:
644f729ae6a44999a55c1ed3f9d4335e827c6259
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/c31a32fd-b709-4b77-bebd-11c50b751013/
SH256 hash:
5e269c2e8062909b1028df7a0a5e442c579d0dff289bc883ab940874f8366dae
MD5 hash:
90042fa15925e83a6a4f816b64b03f78
SHA1 hash:
6823153b503b6228d8dfb4483444f3a4468559be
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/c31a32fd-b709-4b77-bebd-11c50b751013/
Parent samples :
5d5edf2c80c6c8c6a6619d4ee719e7af084d544dc303e4ec601d9f46adfabb14
889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865
ae8300b8080e4aabaa7b31f7035848a10ad59f180a823b8ba9ba63441ba8bca5
05ddfe68f52650bb4edf167f1e37883c77dced2d90b57e4cad1d8e640dbf81bd
78ae05e4fa25ebe63c5368f050f53c0b363cf110e184be1d5d6646465c0c1cf5
c5b8dcac999dedc765dd0d39bd6ecf08edd6151819c0affb56156706f2d71d22
SH256 hash:
d5c205d7e231d827caed40a5e9f06a16a9687a5c4e974eb209a4f7c49d1c2449
MD5 hash:
78afb315cbfbfc9ead807239dc0a9e01
SHA1 hash:
f953d68a01a4e0c11f5e297d0c5d7823d9e001dc
Link:
https://www.unpac.me/results/c31a32fd-b709-4b77-bebd-11c50b751013/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Formbook
Create hunting rule
Author:kevoreilly
Description:Formbook Payload
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 889709cbd7fadea06caaf9533dcfc8690ec229396771cd9e963268fcbdbec865

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/11942/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments