MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5
SHA3-384 hash: a4310ec51cfc69b6b710d02ceda7376449480476cd08a60fc568290bd8f0c25b354efec94935648bd96b32390dfe67d4
SHA1 hash: fdece86a7dcbae6c4d4aa3b66705899cc272fbcd
MD5 hash: c854e48d5a9812140bdab7e4fdc29c32
humanhash: magazine-snake-bluebird-ack
File name:ADCB_PAYMENT_COPY_PDF.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:189'013 bytes
First seen:2026-06-26 10:33:21 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:MP7yJG/5GA2WJyuLSvd4LvvI+iXWcAh7lL3xR49PwoezPZxbxpXMO:MF/QDW0vd4TvI+KWcAT3xYoBxxcO
Threatray 2'934 similar samples on MalwareBazaar
TLSH T123041234C2CAB12EC9D9931690ABE49E1E0BDCB62FABDE5D885D78905F441C5B0FB470
Magika txt
Reporter lowmal3
Tags:bat FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5.txt
Verdict:
Malicious activity
Analysis date:
2026-06-26 10:36:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eb8af25e-42c5-4d25-9ccd-10a89ef0aae3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72043/
Detection(s):
SecuriteInfo.com.BAT.Obfuscated.9.24621.3729.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a3e557d1548daf709f9f487
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching cmd.exe command interpreter
Launching a process
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Enabling the 'hidden' option for recently created files
Enabling autorun
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 base64 cmd crypto evasive lolbin masquerade obfuscated powershell zero-day
Link:
https://www.filescan.io/uploads/6a3e5578ae9b391801246bbc/reports/80015059-f109-40a5-9592-32f321629648/overview
Verdict:
Suspicious
Labled as:
TrojanDownloader/PS.Maloader
Link:
https://www.hybrid-analysis.com/sample/d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5
Verdict:
Malicious
File Type:
ps1
First seen:
2026-06-26T05:25:00Z UTC
Last seen:
2026-06-26T07:37:00Z UTC
Hits:
~100
Detections:
Trojan.MSIL.Agent.sb HEUR:Trojan.BAT.Agent.gen
Link:
https://opentip.kaspersky.com/d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1934148
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1934148 Sample: ADCB_PAYMENT_COPY_PDF.bat Startdate: 26/06/2026 Architecture: WINDOWS Score: 100 46 www.67859304.xyz 2->46 48 www.29870093.xyz 2->48 50 21 other IPs or domains 2->50 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 Yara detected FormBook 2->74 78 10 other signatures 2->78 12 cmd.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 76 Performs DNS queries to domains with low reputation 48->76 process4 dnsIp5 88 Bypasses PowerShell execution policy 12->88 90 Suspicious command line found 12->90 18 powershell.exe 15 18 12->18         started        23 conhost.exe 12->23         started        25 cmd.exe 1 12->25         started        60 127.0.0.1 unknown unknown 15->60 signatures6 process7 dnsIp8 52 anakort32ew.site 66.29.132.45, 443, 49683 NAMECHEAP-NET-NamecheapIncUS United States 18->52 44 C:\Users\user\AppData\Local\v265\v4034.bat, ASCII 18->44 dropped 80 Creates an undocumented autostart registry key 18->80 82 Writes to foreign memory regions 18->82 84 Injects a PE file into a foreign processes 18->84 27 RegSvcs.exe 18->27         started        file9 signatures10 process11 signatures12 86 Maps a DLL or memory area into another process 27->86 30 dAa1amYaCG8ND.exe 27->30 injected process13 process14 32 dxdiag.exe 13 30->32         started        signatures15 62 Tries to steal Mail credentials (via file / registry access) 32->62 64 Tries to harvest and steal browser information (history, passwords, etc) 32->64 66 Modifies the context of a thread in another process (thread injection) 32->66 68 4 other signatures 32->68 35 jXa8ZOWoyIEX.exe 32->35 injected 38 chrome.exe 32->38         started        40 firefox.exe 32->40         started        process16 dnsIp17 54 www.67859304.xyz 38.12.148.181, 49715, 49716, 49717 PEG-SV-PEGTECHINCUS United States 35->54 56 29870093.xyz 209.159.151.58, 49739, 49740, 49741 IS-AS-1-InterserverIncUS United States 35->56 58 12 other IPs or domains 35->58 42 WerFault.exe 4 38->42         started        process18
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5/
Verdict:
Malicious
Threat:
Trojan.MSIL.Agent
Link:
https://tip.neiki.dev/file/d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fda3hhk34buou5cch3l3lhffewt27ns46mwtum3gzvfi47p3lkq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
09a6d54e4d535c003a27d3e3501f13cb6758fab0d17285ebe7928571e82538ea
Formbook
1db883f47e2ab7c67177d6958c296dcc72d9854e04e82154c534cb575c4225c8
Formbook
2882e8c9aba470c81dee9b361b5cbbf9a56819774682c68a5c78af90f1bd23e1
Formbook
331712785d2f4d9f0a25a558d3e8782652c6ec026d96c2fa67bbad0db15e941e
Formbook
39efe6ed5f42ff06649ac72463786972f377feee372ca5fa7c4fdaaf2c78ee9e
Formbook
3ae0a2cd16d28c901456b5ad1640c4dbb2005372742d552e1fbc076811ddccbf
Formbook
60cda0957c7f3d24ef21a92a6f1bd57f791726b8f2e39ab732066bc99f565f4e
Formbook
828a964a4eeb55c2cd7768db854e0c58f845e6f1e6d37e1e896f21e0d12938c4
Formbook
86226b8c291f202ae6d8ef819e46339998ad4a5c797e1901af64ad9f4c20e735
Formbook
add86e84bb76decd85081877dda2189383abf10ffe0d4f9567c41e983dff0f34
Formbook
error
Formbook
+ 2'924 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware collection discovery persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260626-mlrd6abt6p/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Downloads MZ/PE file
Family: Formbook
Formbook payload
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_FileFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects FileFix social engineering technique that launches chained PowerShell and PHP commands from file explorer typed paths
Reference:FileFix social engineering with PowerShell and PHP commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Batch (bat) bat d9460d9ceadf034753a211f6bdace5292d3d7db2e79969d19b366a5473efdad5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72043/

Comments