MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
SHA3-384 hash: 5ee67ec466c5707cd92df9502e0818476aa3f603d126e7e305f4bc231dc01e4e3de62c97ba7aaa1fb1e32d86119978bc
SHA1 hash: ec891537902cfc46dfd4c23f523fb0cfd0bfb729
MD5 hash: cc79c483bd82e767f895902437d25710
humanhash: lactose-alpha-single-low
File name:25ZG0594-INV.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:690'688 bytes
First seen:2025-09-06 02:27:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:0aqojL4ep+9keRK6AKefTVYWHDqDBY7edfuMHPIjk1Z9D9QbOH1MCXRra94fiW/v:lqL9kegHDqDVJvIjINqbEBRzfiW/v
Threatray 914 similar samples on MalwareBazaar
TLSH T198E4220031079603C872ABF66A61E0F4ABF55E9EB913DB578FE97E8B363E3114941253
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
25ZG0594-INV.exe
Verdict:
No threats detected
Analysis date:
2025-09-06 03:36:22 UTC
Tags:
netreactor
Link:
https://app.any.run/tasks/8339f485-da7a-475a-974a-62092cfbde27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25929/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bb9c4eeb163e0ec184c7c8
Tags:
virus msil
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
krypt packed stealer unsafe
Link:
https://www.filescan.io/uploads/68bb9c4a20d0ee406d978ff8/reports/e55a00e9-d9e0-4e63-b65b-7f6d83cd65c1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-05T13:36:00Z UTC
Last seen:
2025-09-05T13:36:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ca4a2ca-5410-4082-ba21-0c1ce2492249
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772185
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772185 Sample: 25ZG0594-INV.exe Startdate: 06/09/2025 Architecture: WINDOWS Score: 100 32 www.ecpay-tw067.xyz 2->32 34 www.78452609.xyz 2->34 36 19 other IPs or domains 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected FormBook 2->48 52 3 other signatures 2->52 11 25ZG0594-INV.exe 3 2->11         started        signatures3 50 Performs DNS queries to domains with low reputation 34->50 process4 file5 30 C:\Users\user\...\25ZG0594-INV.exe.log, ASCII 11->30 dropped 62 Injects a PE file into a foreign processes 11->62 15 25ZG0594-INV.exe 11->15         started        signatures6 process7 signatures8 64 Maps a DLL or memory area into another process 15->64 18 oUpGBiuwiZXw.exe 15->18 injected process9 dnsIp10 38 www.suvorr.tokyo 46.37.111.21, 49735, 49736, 49737 Y-INTERNETGB Spain 18->38 40 www.mireza.site 203.161.43.199, 49743, 49744, 49745 VNPT-AS-VNVNPTCorpVN Malaysia 18->40 42 8 other IPs or domains 18->42 21 proquota.exe 13 18->21         started        process11 signatures12 54 Tries to steal Mail credentials (via file / registry access) 21->54 56 Tries to harvest and steal browser information (history, passwords, etc) 21->56 58 Modifies the context of a thread in another process (thread injection) 21->58 60 2 other signatures 21->60 24 chrome.exe 21->24         started        26 firefox.exe 21->26         started        process13 process14 28 WerFault.exe 4 24->28         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.21 Win 32 Exe x86
Link:
https://app.malva.re/file/cc79c483bd82e767f895902437d25710
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2025-09-06 02:28:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hexmfyg3ef64mznrhqxhhmanbsrnyo37rjd65x42ofowcpsxursa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
268b6fdc221050949a2b624983380cd3fb268fecef2f5bb3a15d91611f3d8092
Formbook
47979229e85fb2c50554534d795075be54dcde94ff32040d3adfe5a6b7475384
Formbook
52bd274cd1b0ada7597a4d72e78190d7b5574f0819204b4a3c0ac488256533ed
Formbook
5a30c4e68c8a9e2fa23d7176efd9f712624fb375d443c25b8829dd307e8b030d
Formbook
68ef29d9bd6e88b4fda357fa69b156376a0a611d287e909285bebbc0d6afc059
Formbook
833005a44107a2b32181f8a038fb7bc267df6648f0b94dc4a26cd295021b2cb7
Formbook
9cc2ff7618612a455e70616103849442a0fa1fc71fb0843f521fc99a24c51bd5
Formbook
cb2391d06743d76e0f5494daf21a381c57a6f7f824796697edb50a4424f3fcfc
Formbook
dceb92e559ad73d5df1807bb8786ceae9ab3d16176223f3250ad4f9514467220
Formbook
error
Formbook
+ 904 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/250906-cx8gpsxmt4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Formbook payload
Formbook
Formbook family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ee71d1c2-e494-4b6b-b10c-137acf0edc17
Unpacked files
SH256 hash:
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
MD5 hash:
cc79c483bd82e767f895902437d25710
SHA1 hash:
ec891537902cfc46dfd4c23f523fb0cfd0bfb729
Link:
https://www.unpac.me/results/4d85995c-8cb9-447a-94e0-e04ec5eb0eba/
SH256 hash:
28e94d2a3c7318cbce7330487274ad0577b1b40c9c1b6ab56d66837d7ac09489
MD5 hash:
1dbd21e2463c6ba220bc98590d3d2c41
SHA1 hash:
556e233fea47684552f610e968f63e7a2b451ddc
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d85995c-8cb9-447a-94e0-e04ec5eb0eba/
SH256 hash:
e50b0550616c4ea9dc2d18d75084f50e6e7da2ccaa2c77a439026957105aad8f
MD5 hash:
540148a4209d7e2b88d0e24b919c2834
SHA1 hash:
5a2042f9c9946e57d02d0d4e9a1ba2c5b1246a1e
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4d85995c-8cb9-447a-94e0-e04ec5eb0eba/
Parent samples :
881aac6c0395e173fe15acd1baf9caf443e73e166176b5040ccdb7e34750ed58
e14543458bbd96f242cc1dbeb9e3ff8c62c592fbe954b6da75fbf7f05aa41a0f
93bba3622d1594eb97ea253dbee9a1d5c495871b73410bccd6c41d7969d3b8a2
a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f
e2f435485baa82011fb87477cf73d40c87b87a3579b11ea8d3cb22883ad33682
67b1c7d222568af1d3fe24c18125eac63dad102e029fae7427b7b9a526f63699
2e3c410728b3564bd615f8e6c64a7fc82fd5385542d02d7134d07bcbbc3f9f09
8ece82ad36ddad1e13a955098ea9629364950ed21a1155d7be4921208e62eb0c
26a2714342c817548962d1a9cf5ebb1aacb811c3060fea1269c8280047b8eddf
78f8b46dfdd55f7914e78f925189180f674945327ee3fa9187e2d5de86b15337
a8dabe249da520a24de691d48bf2549dda65bbb3e62cecd148b1ff0080533cac
0cb006d7434c2ffa1b04e4f20a90688e8eb36e82cea2db1641744e235995439b
fcdc9e821a1bd97c87b1c9b9fed76a070f3ff81a0ee0838f49a915336851a029
6b76abca8f35fff263c12beaaf521405a1d3743abde3bc20d8415272b2c5a140
2f76a21937582bd59783cab01437d029a6ccd52635e2a3f424831ad7e444e640
392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464
acfd0a48223c3e021532b6f7cfb12e81ebf2903bd706b9a5d45fb1a020dd7902
9357bf9a67240b9df693123dfcefe78bd468a313243e9ab7769c60eae161f1ad
c3bce19ca32fe499888cec1530bef701ba3d11d7fba776945a2e1245cb162a38
8e7c61db1d4aae49ddbd1ab8586fe752edbd01f30d5214e6e6bc074a3ec05588
a6fc6ac52bb2eb9fbe527ec26f3f21b8a3775660883ccd55976a250910dcee2e
227d7f535bcb6ce158d63d9436429547e9a065b289cf8b0caf8993ddd549190d
SH256 hash:
0b7cdf9dbe6f165393c87acaad5aa65e6882b9d5c54550ef3c597737e0ad32ff
MD5 hash:
7e4ca1b335ac6a61c1477a46e04dbaad
SHA1 hash:
a2ca1a9641a0ddc668c93f5f89eac2b67ecd0f8e
Link:
https://www.unpac.me/results/4d85995c-8cb9-447a-94e0-e04ec5eb0eba/
SH256 hash:
4a6dff6b96cfe65bbcf689dacf26d62aa5f582a5c62c5772e1dcd8d97a444f57
MD5 hash:
3dd86b822301a8d6374ad1c7ed969d66
SHA1 hash:
3383b3170854c6c805cb96f9b0428f32e476957f
Link:
https://www.unpac.me/results/4d85995c-8cb9-447a-94e0-e04ec5eb0eba/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/392ec2e0db21/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.61
Link:
https://yomi.yoroi.company/submissions/392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 392ec2e0db217dc665b13c2e73b00d0ca2dc3b7f8a47eedf9a715d613e57a464

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/25929/

Comments