MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 f89d2115d740c13a648b73aa1cceec74d35c4e43628fe711dff231ad75894ccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Formbook
Vendor detections: 18
| SHA256 hash: | f89d2115d740c13a648b73aa1cceec74d35c4e43628fe711dff231ad75894ccc |
|---|---|
| SHA3-384 hash: | 99433e955d9d1a93d85923e54435fb78f90b8469b0a92ecd98042378fd76a148b9e4a53c81eb870be9b244c3b0f22e19 |
| SHA1 hash: | 66e79cdfea873f3dbfee8e30c25b375b3387ea25 |
| MD5 hash: | cd904b893a3e154b82c362178e407309 |
| humanhash: | eleven-london-network-sodium |
| File name: | z43OrdendeCompra-PO00009769.exe |
| Download: | download sample |
| Signature | Formbook |
| File size: | 1'259'008 bytes |
| First seen: | 2025-10-30 14:00:09 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 1895460fffad9475fda0c84755ecfee1 (341 x Formbook, 89 x AgentTesla, 56 x a310Logger) |
| ssdeep | 24576:k5EmXFtKaL4/oFe5T9yyXYfP1ijXdaoT2fQA9ROr3tKMb3G8Hpu:kPVt/LZeJbInQRaoj0Qbt13G8 |
| Threatray | 1'971 similar samples on MalwareBazaar |
| TLSH | T11445BF0273D1C062FFAB92334F56F6115ABC7A260123A62F13981D79BE705B1563E7A3 |
| TrID | 40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3) |
| Magika | pebin |
| Reporter |  FXOLabs |
| Tags: | exe FormBook |
Intelligence
File Origin
# of uploads :
1
# of downloads :
137
Origin country :
BRVendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
z43OrdendeCompra-PO00009769.exe
Verdict:
No threats detected
Analysis date:
2025-10-30 14:07:57 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Detection(s):
Verdict:
Malicious
Score:
96.5%
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Сreating synchronization primitives
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug autoit compiled-script fingerprint installer-heuristic keylogger microsoft_visual_cc packed
Verdict:
Malicious
Labled as:
Trojan.BAT.Agent.gen
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-30T10:51:00Z UTC
Last seen:
2025-11-01T00:53:00Z UTC
Hits:
~100
Detections:
Trojan-Spy.Noon.HTTP.ServerRequest BSS:Trojan.Win32.Generic Trojan-Spy.Win32.Noon.sb Trojan.Win32.Strab.sb Trojan.Win64.Injects.hes Trojan.Win32.Zenpak.sb Trojan.Win32.Agent.sb Backdoor.Agent.HTTP.C&C Trojan-PSW.Win32.Stealer.sb Trojan.Win32.Inject.sb
Malware family:
Formbook
Verdict:
Malicious
Score:
100%
Verdict:
Malware
File Type:
PE
Verdict:
Malware
YARA:
7 match(es)
Tags:
AutoIt Decompiled Executable PDB Path PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86
Verdict:
Malicious
Threat:
Family.FORMBOOK
Threat name:
Win32.Trojan.Swotter
Status:
Malicious
First seen:
2025-10-30 13:52:46 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
19 of 24 (79.17%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
formbook
Similar samples:
+ 1'961 additional samples on MalwareBazaar
Result
Malware family:
formbook
Score:
10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Unpacked files
SH256 hash:
f89d2115d740c13a648b73aa1cceec74d35c4e43628fe711dff231ad75894ccc
MD5 hash:
cd904b893a3e154b82c362178e407309
SHA1 hash:
66e79cdfea873f3dbfee8e30c25b375b3387ea25
SH256 hash:
89caae3b3e9870832424fa03225ca0705b23bdf09d67a6e6a848817063cdd926
MD5 hash:
12f4c8aa33b614ee099000d8e7dff6a1
SHA1 hash:
784a154e5e5b3000b8506f626faae21d999c885e
SH256 hash:
1a70230a844599ed46e5e45127e3dda47e97cf6a6aa447bd06dc7a4ed7897d21
MD5 hash:
2c7a24768d0744e2795ee2cbce7c9eff
SHA1 hash:
ab6701d87f66fe4bf3961da7d4ad724990b3fed8
Detections:
win_formbook_g0
Malware family:
FormBook
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AutoIT_Compiled |
|---|---|
| Author: | @bartblaze |
| Description: | Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious. |
| Rule name: | CP_Script_Inject_Detector |
|---|---|
| Author: | DiegoAnalytics |
| Description: | Detects attempts to inject code into another process across PE, ELF, Mach-O binaries |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__GlobalFlags |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Active |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DebuggerHiding__Thread |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | DetectEncryptedVariants |
|---|---|
| Author: | Zinyth |
| Description: | Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded |
| Rule name: | dgaagas |
|---|---|
| Author: | Harshit |
| Description: | Uses certutil.exe to download a file named test.txt |
| Rule name: | golang_bin_JCorn_CSC846 |
|---|---|
| Author: | Justin Cornwell |
| Description: | CSC-846 Golang detection ruleset |
| Rule name: | maldoc_find_kernel32_base_method_1 |
|---|---|
| Author: | Didier Stevens (https://DidierStevens.com) |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| Rule name: | pe_detect_tls_callbacks |
|---|
| Rule name: | pe_no_import_table |
|---|---|
| Description: | Detect pe file that no import table |
| Rule name: | RIPEMD160_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for RIPEMD-160 constants |
| Rule name: | SEH__vectored |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| Rule name: | SHA1_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for SHA1 constants |
| Rule name: | shellcode |
|---|---|
| Author: | nex |
| Description: | Matched shellcode byte patterns |
| Rule name: | TH_Generic_MassHunt_Win_Malware_2025_CYFARE |
|---|---|
| Author: | CYFARE |
| Description: | Generic Windows malware mass-hunt rule - 2025 |
| Reference: | https://cyfare.net/ |
| Rule name: | TH_Win_ETW_Bypass_2025_CYFARE |
|---|---|
| Author: | CYFARE |
| Description: | Windows ETW Bypass Detection Rule - 2025 |
| Reference: | https://cyfare.net/ |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.