MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 19


Intelligence 19 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
SHA3-384 hash: c6ac18cddabdf2bcb2039ca2b96002727707ae75daeabbd6c3cb30b7deec58aae4c3f99773952299235e7a19e0a0d731
SHA1 hash: d6431bda1155a0c0052957f135bc8440d8dc742e
MD5 hash: 6c455f788f7ca9c2f6dd3ab51c6a281d
humanhash: oranges-avocado-solar-apart
File name:PAYMENT INFORMATION.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:664'064 bytes
First seen:2025-12-20 03:44:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:1N/wsdj51WYH8onN/DW2wg5aJVQGvwRAw+HnPNnRhaoJ12R76+onexgV:/3F1Go1/5aJ+GvwRRePNnRhaoJ12R76j
TLSH T1D9E412E06E25AB06CD752BB45821CD70A3710E687015FAD7DDEE6F8777E8620DA08F42
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/592d8f65-92e8-4cd4-b965-92da4f409526/
Malware family:
n/a
ID:
1
File name:
_89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4.exe
Verdict:
No threats detected
Analysis date:
2025-12-20 03:45:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df7ababf-bf56-4693-90ac-023916048582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/45556/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69461bc656a871e6bb7f1377
Tags:
shell micro
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
krypt masquerade packed vbnet
Link:
https://www.filescan.io/uploads/69461bd384afa5547b5aeb9a/reports/ae506cf3-d1c6-4a27-b5c8-6534fcefd087/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-12-20T00:14:00Z UTC
Last seen:
2025-12-22T01:35:00Z UTC
Hits:
~10000
Detections:
Trojan.Win32.Agent.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan-PSW.Win32.Stealer.sb HEUR:Trojan.MSIL.Taskun.gen Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35f25330-c841-43a0-a5b0-d6ef6c911401
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1836619
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1836619 Sample: PAYMENT INFORMATION.exe Startdate: 20/12/2025 Architecture: WINDOWS Score: 100 38 www.torila.life 2->38 40 www.petirjitu88.com 2->40 42 13 other IPs or domains 2->42 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 8 other signatures 2->56 11 PAYMENT INFORMATION.exe 4 2->11         started        signatures3 process4 file5 36 C:\Users\user\...\PAYMENT INFORMATION.exe.log, ASCII 11->36 dropped 66 Adds a directory exclusion to Windows Defender 11->66 68 Injects a PE file into a foreign processes 11->68 15 PAYMENT INFORMATION.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 70 Maps a DLL or memory area into another process 15->70 20 RldUl2gbXWo.exe 15->20 injected 72 Loading BitLocker PowerShell Module 18->72 22 conhost.exe 18->22         started        process9 process10 24 msra.exe 13 20->24         started        signatures11 58 Tries to steal Mail credentials (via file / registry access) 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 62 Modifies the context of a thread in another process (thread injection) 24->62 64 4 other signatures 24->64 27 qxgZr0Jtfh.exe 24->27 injected 30 chrome.exe 24->30         started        32 firefox.exe 24->32         started        process12 dnsIp13 44 designbynord.com 81.169.145.92, 49738, 49739, 49740 STRATOSTRATOAGDE Germany 27->44 46 cdqvc.com 178.63.45.142, 49724, 80 HETZNER-ASDE Germany 27->46 48 9 other IPs or domains 27->48 34 WerFault.exe 4 30->34         started        process14
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.30 Win 32 Exe x86
Link:
https://app.malva.re/file/6c455f788f7ca9c2f6dd3ab51c6a281d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4/
Verdict:
Malicious
Threat:
Family.Formbook
Link:
https://tip.neiki.dev/file/89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-12-20 03:28:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rhbdf4gaidsuv2kwrbysmlvn5qywj33mzuifff4sy64ut6mlex2a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251223-ntyzmswkcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/92faca85-b4ff-4971-ae1f-744faee1ab18
Unpacked files
SH256 hash:
89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
MD5 hash:
6c455f788f7ca9c2f6dd3ab51c6a281d
SHA1 hash:
d6431bda1155a0c0052957f135bc8440d8dc742e
Link:
https://www.unpac.me/results/40a05eed-5f0e-4865-8fa6-f53253d423fc/
SH256 hash:
a24ebc50c6ad99ae2efad2c0c05d4ae3657e21401334e68af512f6baf150c985
MD5 hash:
37af996ebdb1726cf6783e66580626a9
SHA1 hash:
08d3381f5d19b4730915eb616c468e804eb81a6c
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/40a05eed-5f0e-4865-8fa6-f53253d423fc/
Parent samples :
7da365ee6fe68f361e5c9186af3ff4a91901f409ea28dd72e20d192e6f7880ab
1ffdf7d60a9ea155e01520d12ebfadbdca8b62d99ff925245c184499b34a75f5
957ab5ff285cb072d03de9cb8438820bde79ce9dfb59400a5b98dd45f6baa50e
1e0df0b7ddd6821d54ecf37db6a67d267387bf56751a8dfc036896b266c2d1bd
89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4
ac9650718cb2712fb1a511c349fc2e5fb85092329d33c15f4d63fef310151aff
SH256 hash:
b040cfc28e886ad7d5f9ff2c4e8e1094475d9ab7195f8381c77c308fcdd07661
MD5 hash:
818b1035a8f0ffd34b8bb53f1215fc49
SHA1 hash:
59db735f1551beb33f7fcb62a224d67eba280490
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/40a05eed-5f0e-4865-8fa6-f53253d423fc/
SH256 hash:
9bd7b6f993657893e3d06eac033339afac6dda77e451f72e114f4ec19fb6b157
MD5 hash:
741fa4302597a591467265f02ded885b
SHA1 hash:
d3bb3f1a0f1172fbc23df1e60c9739d6927f5700
Link:
https://www.unpac.me/results/40a05eed-5f0e-4865-8fa6-f53253d423fc/
SH256 hash:
0cb5b7ff8e8c0f5237ba70ab51aaa0fb9f33e437fc6a5e9878af1192da450c37
MD5 hash:
c116ec5c7688d16265572bd9b21bc401
SHA1 hash:
a9b6764c5d13402b383fc47d82937f7ca4d84eeb
Link:
https://www.unpac.me/results/40a05eed-5f0e-4865-8fa6-f53253d423fc/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/89c232f0c040/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 89c232f0c040e54ae9568871262eadec3164ef6ccd10529792c7b949f98b25f4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45556/

Comments