MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 18

Intelligence 18 IOCs YARA 6 File information Comments

SHA256 hash:	2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d
SHA3-384 hash:	06b910b48891bb6cf98dcc7fc6812995ac75fd402ddcf26ba700887f025da5646259936c3db7e3f8c35be95f1b092b34
SHA1 hash:	aa8f27d260a8895765b98e6899be6a8cb2b8162a
MD5 hash:	6a9d334c6107a9f9575d52932c5b9263
humanhash:	enemy-march-beryllium-failed
File name:	2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d
Download:	download sample
Signature	Formbook Create hunting rule
File size:	748'544 bytes
First seen:	2025-09-05 13:05:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:0aSG840TYA0Tu00eFB4v5ae+DrtPa1rjkExofkevVVaS8nJE4KnBMhan2E:R8snT2eFyEVC1vHq8oQyB
Threatray	816 similar samples on MalwareBazaar
TLSH	T102F412A526A9E702D5B6ABF418B1D37443BD2E9D3801C3065FEABCDF7C25B50A940393
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

f94f5ac70c7cfa7eb28728124895e87e325eda92b09476e7600b276ccdd0555a.zip

Verdict:

Malicious activity

Analysis date:

2025-08-20 03:56:27 UTC

Tags:

arch-exec netreactor formbook xloader stealer

Link:

https://app.any.run/tasks/aa49dd37-aed4-47c2-918a-3e4d2d068388

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/25567/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3393.19883.20450.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68bae04eeb163e0ec1848216

Tags:

virus micro

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/68baeb17822d8c77dc642b1e/reports/74d4b9be-8d9e-4de8-8d35-ae7bcef91667/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-19T23:50:00Z UTC

Last seen:

2025-08-19T23:50:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/73bfd9a8-c720-490f-9e75-c441ca587120

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d

Verdict:

inconclusive

YARA:

10 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.37 Win 32 Exe x86

Link:

https://app.malva.re/file/6a9d334c6107a9f9575d52932c5b9263

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2025-08-20 02:16:37 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 38 (71.05%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fzxkeck3skaj2ynzam76uyodf5tsv3o2dvzww2rysjokdhjhyfwq._file

Verdict:

malicious

Label(s):

unc_loader_037

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250905-q6atpaar8t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3f33d2aa-501a-4ce4-a390-94149193efb5

Unpacked files

SH256 hash:

7b90dfa5a1e1cb97014bb839dfe66577109a9bfdebf37a1d943747fd6297ec54

MD5 hash:

175a8b2e9d8e3bf7a1920fc6b93371f4

SHA1 hash:

054b4bc3e37be1e79020b0a49fcbb308a5ce2916

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d94f5c13-038b-4c56-aa50-c4954b2d62aa/

Parent samples :

17e0c7518d7529f547024299249ba52280ef8832a59065b51084d2363735f0c3
ed67e313856d24ddff3ab5d32f7c008091dba877cc81c20f231915ddc47aa495
7d3c778bdf96a09329ff48320375c3b3f902fb0c60a6dcc3e84c74c29a925ad7
b825530e6ae318301d55258b6cb986139eb8305282ec8f2d5c10ddd85372b5e8
585f964ab32e7e8b968f4d6f3c8395d757abc7bd22afc3ea04f31fd381fb4c5e
e716163f54adee3d2033774eb284550be239f8fa3027ce66724173f822a1131d
b61f96d853d5363fbd77d8b465c9394bb606c7e5e44717aa9230098c2caea281
f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
bb17aae78c989184f3618223ea0e06d307fee6a6467ba61bb4b9e15ca42cf06c
2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d

SH256 hash:

a4697b501edbd129078c7ca603b5a2d7ca714f61cf451fcc1049dc6eadd1c548

MD5 hash:

7dfe8eae0ad70ed13b5315174635cfce

SHA1 hash:

3391f04915fc6311cb55da8521b5961702c70608

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/d94f5c13-038b-4c56-aa50-c4954b2d62aa/

SH256 hash:

0b7cdf9dbe6f165393c87acaad5aa65e6882b9d5c54550ef3c597737e0ad32ff

MD5 hash:

7e4ca1b335ac6a61c1477a46e04dbaad

SHA1 hash:

a2ca1a9641a0ddc668c93f5f89eac2b67ecd0f8e

Link:

https://www.unpac.me/results/d94f5c13-038b-4c56-aa50-c4954b2d62aa/

SH256 hash:

b8335fc8ae56016ec35f31dbcf76a0fab4a63443bc9f9083337f5caa6b5609c8

MD5 hash:

bf078e355505b5914fee4709d8ae6983

SHA1 hash:

c288bcadf16c12b28c5bf9b75a518974bfe40a26

Link:

https://www.unpac.me/results/d94f5c13-038b-4c56-aa50-c4954b2d62aa/

SH256 hash:

b5bb50a1e5add96bad08daaa7923566ee16a48ca099cd6745d3a00702761be89

MD5 hash:

26cd112eb1409fabfa3ab65c72ee79d8

SHA1 hash:

2b25e2d46055442c42aa81ab1e9fc87c6635e7ed

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/d94f5c13-038b-4c56-aa50-c4954b2d62aa/

Parent samples :

104d7263dd77981b760c26e0fb61986e6aa2a3e86eab2ae4bc7468cf28eaf902
4f332f4463ca0405da859acc77073973689eaea2ce3a3614a371af5759fb5f72
9cc2ff7618612a455e70616103849442a0fa1fc71fb0843f521fc99a24c51bd5
52bd274cd1b0ada7597a4d72e78190d7b5574f0819204b4a3c0ac488256533ed
849402cd1e4eb903a5fa5916c2942a9515191522d555bb367d3cfe733761997b
5a30c4e68c8a9e2fa23d7176efd9f712624fb375d443c25b8829dd307e8b030d
ad1ae745d835753f3536d17187afeaca8c6b4fa7741aa7442778de132c6bb0b3
73641bb814bd6e10ce0fa31212e08f24e705e5d4a67d4c5367a1d8331b55da0d
2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d
8cd56ddaedb0cc45a957765ea3e590005a6fd09715308bf007aa24a2e0c15799
1936d1b8295caabcbd48e3ea53f312bd49c0dab3e41870d807667eda64a29c14
c514d19df459390e07641bbccc3c43e427349a82e85f1b5296acb7ff4cd4a8d3
16ed2c1ca3967a5d35b8ed2607aa76b4be05d6a51b89c97a46a3c37f6a579814

SH256 hash:

2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d

MD5 hash:

6a9d334c6107a9f9575d52932c5b9263

SHA1 hash:

aa8f27d260a8895765b98e6899be6a8cb2b8162a

Link:

https://www.unpac.me/results/d94f5c13-038b-4c56-aa50-c4954b2d62aa/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.61

Link:

https://yomi.yoroi.company/submissions/2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25567/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample