MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
SHA3-384 hash: df7628d3e01c2ef43ae332d7f70f5890cabd14a08d15b434bbe659c51859a30cc49974c8823bb03099fe41772137ed46
SHA1 hash: d8da6be8943c030ea5fadd42dd12ffb2d4463eb4
MD5 hash: be11fc4c470483bff5394b377067f278
humanhash: march-mobile-failed-artist
File name:jZstjbQAbz089D3.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:583'680 bytes
First seen:2025-10-09 09:02:45 UTC
Last seen:2025-11-06 10:09:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:UGbFK4WEC7Zp5V1aYyVx7uLCW5yq7+FykUpXmM/dPD7pT4A78g4aJ:UGbFK4w1V1aYyV4CWhxpTPxTHfJ
Threatray 3'248 similar samples on MalwareBazaar
TLSH T178C4124526EECE07D4AB2BB01D71C17053B5DE9AE922D90A8FD62CDB75BBB904E40703
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10522/11/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter cocaman
Tags:exe FormBook Shipping

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
jZstjbQAbz089D3.exe
Verdict:
Malicious activity
Analysis date:
2025-10-09 09:03:46 UTC
Tags:
formbook stealer xloader
Link:
https://app.any.run/tasks/548318ce-7f5d-4d43-a654-673026cfd7dc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31240/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e77a707f305fa2545de1d1
Tags:
spawn shell micro
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process with a hidden window
Launching a process
Creating a file
Launching cmd.exe command interpreter
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68e77a6a5a3bccf09ebedd20/reports/38d365cb-de37-4ce9-a0e3-65dbaa6ef218/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-08T12:21:00Z UTC
Last seen:
2025-10-11T04:07:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb PDM:Trojan.Win32.Generic Trojan.Win32.SpeedBit.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb Backdoor.Win32.Blakken.sb VHO:Backdoor.Win32.Convagent.gen HEUR:Trojan-Spy.MSIL.Noon.gen Trojan-Spy.Win32.Noon.sb Trojan-Dropper.Win32.Injector.sb
Link:
https://opentip.kaspersky.com/26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7e7a9909-84c8-405d-938e-f156bc519869
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1791989
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1791989 Sample: jZstjbQAbz089D3.exe Startdate: 09/10/2025 Architecture: WINDOWS Score: 100 40 www.ytyjiehuon.pro 2->40 42 www.udiec.net 2->42 44 14 other IPs or domains 2->44 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 8 other signatures 2->68 11 jZstjbQAbz089D3.exe 4 2->11         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 38 C:\Users\user\...\jZstjbQAbz089D3.exe.log, ASCII 11->38 dropped 72 Writes to foreign memory regions 11->72 74 Allocates memory in foreign processes 11->74 76 Adds a directory exclusion to Windows Defender 11->76 78 Injects a PE file into a foreign processes 11->78 18 MSBuild.exe 11->18         started        21 powershell.exe 23 11->21         started        50 127.0.0.1 unknown unknown 15->50 file6 signatures7 process8 signatures9 52 Modifies the context of a thread in another process (thread injection) 18->52 54 Maps a DLL or memory area into another process 18->54 56 Sample uses process hollowing technique 18->56 60 3 other signatures 18->60 23 explorer.exe 72 1 18->23 injected 58 Loading BitLocker PowerShell Module 21->58 27 WmiPrvSE.exe 21->27         started        29 conhost.exe 21->29         started        process10 dnsIp11 46 parkingpage.namecheap.com 91.195.240.19, 49702, 80 SEDO-ASDE Germany 23->46 48 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->48 70 System process connects to network (likely due to code injection or exploit) 23->70 31 help.exe 23->31         started        signatures12 process13 signatures14 80 Modifies the context of a thread in another process (thread injection) 31->80 82 Maps a DLL or memory area into another process 31->82 84 Tries to detect virtualization through RDTSC time measurements 31->84 86 Switches to a custom stack to bypass stack traces 31->86 34 cmd.exe 1 31->34         started        process15 process16 36 conhost.exe 34->36         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.43 Win 32 Exe x86
Link:
https://app.malva.re/file/be11fc4c470483bff5394b377067f278
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
Threat name:
ByteCode-MSIL.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 17:39:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3nkudiinrhpf6g2ffyp7s42lj7xva6z3equ7knyjaafrzk4pbrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
06fde543ff6fd284c390329229bbb6ffae4de88fe0c6f4423c7ad5f975e0c2d1
Formbook
4123bedccc18eee83aa4c7d8e1b64191ddde5fc234bd3c1cbd7f998571e47112
Formbook
90ea1c4f055151523a1960b3d36778489ecd187ffb79d843012eafefdeaa3285
Formbook
9f553bbfad12d1079c4b0935c57410a0149b02bd6669d34431ab9fb1668da820
Formbook
af0479c951a33eabf8ffe589a8494781e8e071599a916da305bd1852b58f1a5c
Formbook
+ 3'238 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:hi23 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251009-k1bwxawmy8/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d59d6233-ef8a-40a1-a27d-fcc6175242bd
Unpacked files
SH256 hash:
26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
MD5 hash:
be11fc4c470483bff5394b377067f278
SHA1 hash:
d8da6be8943c030ea5fadd42dd12ffb2d4463eb4
Link:
https://www.unpac.me/results/bdc099d6-ecea-40c1-b370-da0fdc66dd42/
SH256 hash:
cc2b98223c9dcaf35c31d2eb743780aa3ea50177043e82633dda11aa7b7ff66b
MD5 hash:
014ace331af3642ddb3d3aa754e94950
SHA1 hash:
2ee54a101d1817ffdf1154d6bc19a7fa6db81c97
Link:
https://www.unpac.me/results/bdc099d6-ecea-40c1-b370-da0fdc66dd42/
SH256 hash:
e0d2bdbe3fd5241fdd701cf42a950d5140ba47063649a783b61599e383b12f6f
MD5 hash:
11435b6ae08058bf05bc20fa6846ddd7
SHA1 hash:
bcd956d5776e0896e77322b3cd5efffc05ab7064
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bdc099d6-ecea-40c1-b370-da0fdc66dd42/
SH256 hash:
22a0b636397b7c13cc5d81fd885ea6a662615832e9a2ecf5e37afd4e50fe822a
MD5 hash:
21d1f6dc595a4eff54661e340d328203
SHA1 hash:
b7cfae5800d7b840d47dbb3977ca30772a30c93d
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
FormBook
Create hunting rule
Windows_Trojan_Formbook
Create hunting rule
Formbook
Create hunting rule
Link:
https://www.unpac.me/results/bdc099d6-ecea-40c1-b370-da0fdc66dd42/
Parent samples :
90ea1c4f055151523a1960b3d36778489ecd187ffb79d843012eafefdeaa3285
4123bedccc18eee83aa4c7d8e1b64191ddde5fc234bd3c1cbd7f998571e47112
06fde543ff6fd284c390329229bbb6ffae4de88fe0c6f4423c7ad5f975e0c2d1
af0479c951a33eabf8ffe589a8494781e8e071599a916da305bd1852b58f1a5c
9f553bbfad12d1079c4b0935c57410a0149b02bd6669d34431ab9fb1668da820
26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863
a6fe2868beed6abd768621f4ace603c9a9b7f5b5ad1029344e953fbb81649506
6500b4198a595f173e1009ec7f6fca35b2e62e175911726a1bf6fbb44b5897c2
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26daaa0d086c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

7z 977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877

Formbook

Executable exe 26daaa0d086c4ef2f8da2970ffcb9a5a7f7a83d9d9214fa9b8480058e55c7863

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 977efd6cd3a376be30cfac84af59290e83ea5b816d12a932dfeb361478eeb877
Cape
Cape
https://www.capesandbox.com/analysis/31240/
  
Dropped by
MD5 9a4c87f9536e4b274e01572b263fd4d7

Comments