MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
SHA3-384 hash: 598c240bb59baf8eaf42fc2324b0e08cd1201661b2254058a644e6f30eb4e8fd40a7ff6b0c807c4df1593aa5171a6e51
SHA1 hash: ce39a875cd8267c89bce7f41c6facab20f2ea71e
MD5 hash: fd5bbe79f76f12da9f45fc909588e849
humanhash: fourteen-november-autumn-hawaii
File name:89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
Download: download sample
Signature Formbook
Create hunting rule
File size:1'215'488 bytes
First seen:2025-08-12 13:54:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:+tb20pkaCqT5TBWgNQ7aIG5I6+lM9vExJRqKB1vcalsOnx6A:rVg5tQ7aId6+OdExjNWalsM5
Threatray 2'697 similar samples on MalwareBazaar
TLSH T1A245C01373DE8361C3B25273BA25B701AEBB7C2506A5F56B2FD4093DE920122525EB73
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e.exe
Verdict:
Malicious activity
Analysis date:
2025-08-12 14:14:58 UTC
Tags:
peristeronic autoit
Link:
https://app.any.run/tasks/c05cdffc-3162-42c1-8b56-0f2329e20d6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20420/
Detection(s):
SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689b4877c633abe3908e4a43
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Sending a custom TCP request
Сreating synchronization primitives
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit cmdkey compiled-script fingerprint fingerprint keylogger lolbin microsoft_visual_cc netsh packed pcalua squirrel threat wmic
Link:
https://www.filescan.io/uploads/689b4c07397fd3ce6fa62fa5/reports/8a04eda8-b77b-404d-a063-290d110608b9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21976504-1c33-495d-945b-914b30696923
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e/
Verdict:
Malicious
Threat:
Trojan.Win32.Strab
Link:
https://tip.neiki.dev/file/89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 23:45:31 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=reuysqgro4biap6jpndsldddt4rd3xv5mnukbwkgmr6lpgwkzqxa._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
formbook
Create hunting rule
Similar samples:
170c2b10322d1b2bbd5403091730544828633e2bdf59af1134b1ae1898a8d90c
Formbook
17269b07f8f2f16e1d2139282f27e99834c34ed76548851a229bbe59832cb552
Formbook
6a11ab33aa16d2d8ba08cb3c6edb5e0613c1d459287261ecd907f9359068cbc8
Formbook
6ae6baa3e8a078bd4ac1d387d45c3a069caa19b284fd55f22de95cbc47f44221
Formbook
7b210d6640552d12998eee72494c9560f1d626c9918c6abcbe9ec0c441c2bd0b
Formbook
89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
Formbook
b68daaa63d6f2935b3d341b2f665868ea568d2cfdce59d9440a830c34bd5e6fb
Formbook
d8df74d6c66f0944491fab35e1682daa4061e4e51c19ffef86b434759961b990
Formbook
dadcc1aee3024cc0d05a344b128071fe566a63837ec3f2a4c24bc184c2c0c462
Formbook
error
Formbook
+ 2'687 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250812-rhe9ya11ds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8e15fa53-c126-4d99-ba54-85cd88a472c2
Unpacked files
SH256 hash:
89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e
MD5 hash:
fd5bbe79f76f12da9f45fc909588e849
SHA1 hash:
ce39a875cd8267c89bce7f41c6facab20f2ea71e
Link:
https://www.unpac.me/results/689aeb8a-ef74-4f27-840b-4d35de2a536e/
SH256 hash:
190a6459f87dfec83f3e54fcca413c4856a8edeb112be6af082b8bf1dbcc56c8
MD5 hash:
2464dc2982c73b16d4304672f327f7e8
SHA1 hash:
2c2112d9a916a58ed9b2d4bf11ef824deefb4de7
Link:
https://www.unpac.me/results/689aeb8a-ef74-4f27-840b-4d35de2a536e/
SH256 hash:
1179cfb8966dc850edffa8072c766d602dc7256664058bcfdb3eecf4e20f9522
MD5 hash:
c893e82a74c9824486c1adb51586aefb
SHA1 hash:
8654a2a41d7821099689a28ea0c01546d26f0dab
Link:
https://www.unpac.me/results/689aeb8a-ef74-4f27-840b-4d35de2a536e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89298940d17702803fc97b47258c639f223ddebd6368a0d946647cb79acacc2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20420/

Comments