MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65
SHA3-384 hash: df3905d7da58b210019fdf08a394678ffde304d7ca14c82174edde62e31a844ad6e5d016a6fc7cbccd2ab79e24a0a06f
SHA1 hash: 927b5eaec6786e160bc1f55e52be53ed45053517
MD5 hash: 0413b542e0085c14944fb1940998d42d
humanhash: east-chicken-maine-friend
File name:PROFORMA_PDF_REVISED97475.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:190'599 bytes
First seen:2026-06-29 06:51:40 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:YuEKsQqeoqjqBSGFNa7i991il5Ee3Xbm5ctiLN9dDWNQJvOwVpbX3eSaowNtPs:Yu5hqgqT91ilqenectiLN9dDWytOYLX9
Threatray 2'931 similar samples on MalwareBazaar
TLSH T1F41413329796BE6D59CD03A092F6EDCB1709D1633BD3E9CEE02E9E810F56C85B1D2410
Magika vba
Reporter lowmal3
Tags:bat FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65.txt
Verdict:
Malicious activity
Analysis date:
2026-06-29 06:52:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7fb15447-f933-4fd9-bcdf-635cbf6a7bce

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72324/
Detection(s):
SecuriteInfo.com.BAT.Obfuscated.9.2752.30555.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a42162a86bc95245bfa6f17
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 base64 cmd crypto evasive lolbin obfuscated powershell zero-day
Link:
https://www.filescan.io/uploads/6a4216285205a9216def78d5/reports/05008188-ee6f-41aa-9680-618d6e124143/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65
Verdict:
Malicious
File Type:
ps1
First seen:
2026-06-29T03:17:00Z UTC
Last seen:
2026-06-29T03:58:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.BAT.Agent.gen
Link:
https://opentip.kaspersky.com/9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1934756
Signature
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934756 Sample: PROFORMA_PDF_REVISED97475.bat Startdate: 29/06/2026 Architecture: WINDOWS Score: 100 46 www.67859304.xyz 2->46 48 www.urbanxis.site 2->48 50 12 other IPs or domains 2->50 70 Malicious sample detected (through community Yara rule) 2->70 72 Yara detected FormBook 2->72 74 Yara detected Powershell decode and execute 2->74 78 7 other signatures 2->78 12 cmd.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 76 Performs DNS queries to domains with low reputation 46->76 process4 dnsIp5 90 Bypasses PowerShell execution policy 12->90 92 Suspicious command line found 12->92 18 powershell.exe 15 18 12->18         started        23 conhost.exe 12->23         started        25 cmd.exe 1 12->25         started        60 127.0.0.1 unknown unknown 15->60 signatures6 process7 dnsIp8 52 anakort32ew.site 66.29.132.45, 443, 49688 NAMECHEAP-NET-NamecheapIncUS United States 18->52 44 C:\Users\user\AppData\Local\v9101\v8525.bat, ASCII 18->44 dropped 80 Creates an undocumented autostart registry key 18->80 82 Writes to foreign memory regions 18->82 84 Injects a PE file into a foreign processes 18->84 27 vbc.exe 18->27         started        file9 signatures10 process11 signatures12 86 Maps a DLL or memory area into another process 27->86 88 Unusual module load detection (module proxying) 27->88 30 e8YvBNyrQ.exe 27->30 injected process13 process14 32 dxdiag.exe 13 30->32         started        signatures15 62 Tries to steal Mail credentials (via file / registry access) 32->62 64 Tries to harvest and steal browser information (history, passwords, etc) 32->64 66 Modifies the context of a thread in another process (thread injection) 32->66 68 4 other signatures 32->68 35 MQEjCe0Wosgr.exe 32->35 injected 38 chrome.exe 32->38         started        40 firefox.exe 32->40         started        process16 dnsIp17 54 www.67859304.xyz 38.12.148.181, 49717, 49718, 49719 PEG-SV-PEGTECHINCUS United States 35->54 56 www.urbanxis.site 159.198.70.130, 49708, 49709, 49710 NAMECHEAP-NET-NamecheapIncUS United States 35->56 58 7 other IPs or domains 35->58 42 WerFault.exe 4 38->42         started        process18
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65/
Verdict:
Malicious
Threat:
Trojan.BAT.Agent
Link:
https://tip.neiki.dev/file/9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tx4ofpar2vizngkvudzkcrvp6cmykg2gvteufz66ybqix6fdtnsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09a6d54e4d535c003a27d3e3501f13cb6758fab0d17285ebe7928571e82538ea
Formbook
1db883f47e2ab7c67177d6958c296dcc72d9854e04e82154c534cb575c4225c8
Formbook
2882e8c9aba470c81dee9b361b5cbbf9a56819774682c68a5c78af90f1bd23e1
Formbook
331712785d2f4d9f0a25a558d3e8782652c6ec026d96c2fa67bbad0db15e941e
Formbook
39efe6ed5f42ff06649ac72463786972f377feee372ca5fa7c4fdaaf2c78ee9e
Formbook
3ae0a2cd16d28c901456b5ad1640c4dbb2005372742d552e1fbc076811ddccbf
Formbook
828a964a4eeb55c2cd7768db854e0c58f845e6f1e6d37e1e896f21e0d12938c4
Formbook
86226b8c291f202ae6d8ef819e46339998ad4a5c797e1901af64ad9f4c20e735
Formbook
add86e84bb76decd85081877dda2189383abf10ffe0d4f9567c41e983dff0f34
Formbook
d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5
Formbook
error
Formbook
+ 2'921 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware collection discovery persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260629-hm8ydahs2q/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Downloads MZ/PE file
Family: Formbook
Formbook payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Batch (bat) bat 9df8e2bc11d551969955a0f2a146aff099851b46acc942e7dec0608bf8a39b65

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72324/

Comments