MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee
SHA3-384 hash: c6880ceeb0daabcd2ea43d67ae383afe0bf54f8b02fec55466b2b98987f762b98268f18fcb5a99ef06c4f1fd49f8c642
SHA1 hash: 51b186f573c25c2f067b6314b88284c2d8b0fdde
MD5 hash: 98710889cd69c93b9f54c7875e6d7ad2
humanhash: washington-black-pluto-seventeen
File name:ENCRYPTED (4).ps1
Download: download sample
Signature Formbook
Create hunting rule
File size:1'523'869 bytes
First seen:2026-02-18 10:42:17 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:3j2xIvn78DMkIl4GJGGAK+jeHAW7M9icxsh4m+mJ5jCUUn7u5Zhaqaica:3SweMvF4u+05DgmT+ica
Threatray 2'678 similar samples on MalwareBazaar
TLSH T164652361FD766CA503845234206E5E0846E19F874C0879AA3F8C99CF0F6EA8F85779DF
Magika powershell
Reporter abuse_ch
Tags:FormBook ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.PowerShell.Packed.221.26277.20824.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6995979e1ebe863df4851bd1
Tags:
vmdetect
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm powershell
Link:
https://www.filescan.io/uploads/6995979097feb4afd649bb24/reports/17da9050-bb48-49ce-a466-baeb75e5c5d7/overview
Verdict:
Malicious
Labled as:
PowerShell/Agent.DZG trojan
Link:
https://www.hybrid-analysis.com/sample/7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee
Verdict:
Malicious
File Type:
ps1
Detections:
Trojan.Win32.InjectorNetT.s PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee/results?tab=lookup
Result
Threat name:
FormBook, MATRIX Crypter
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1871093
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected malicious Powershell script
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Yara detected MATRIX Crypter
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1871093 Sample: ENCRYPTED (4).ps1 Startdate: 18/02/2026 Architecture: WINDOWS Score: 100 51 www.54825091.xyz 2->51 53 www.030062469.xyz 2->53 55 14 other IPs or domains 2->55 69 Suricata IDS alerts for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for URL or domain 2->73 77 8 other signatures 2->77 11 powershell.exe 24 2->11         started        15 svchost.exe 1 1 2->15         started        signatures3 75 Performs DNS queries to domains with low reputation 53->75 process4 dnsIp5 49 C:\Users\user\AppData\...\tmp8D54.tmp.ps1, ASCII 11->49 dropped 87 Writes to foreign memory regions 11->87 89 Injects a PE file into a foreign processes 11->89 18 aspnet_compiler.exe 11->18         started        21 aspnet_compiler.exe 11->21         started        23 aspnet_compiler.exe 11->23         started        25 13 other processes 11->25 63 127.0.0.1 unknown unknown 15->63 file6 signatures7 process8 signatures9 65 Maps a DLL or memory area into another process 18->65 27 4BSmgAAndbqY7.exe 18->27 injected 67 Unusual module load detection (module proxying) 21->67 29 WerFault.exe 20 16 21->29         started        31 WerFault.exe 16 23->31         started        33 WerFault.exe 16 25->33         started        35 WerFault.exe 25->35         started        process10 process11 37 msdt.exe 13 27->37         started        signatures12 79 Tries to steal Mail credentials (via file / registry access) 37->79 81 Tries to harvest and steal browser information (history, passwords, etc) 37->81 83 Modifies the context of a thread in another process (thread injection) 37->83 85 2 other signatures 37->85 40 QKMcdl0s9VV.exe 37->40 injected 43 chrome.exe 37->43         started        45 firefox.exe 37->45         started        process13 dnsIp14 57 www.8ixei.info 202.165.122.83, 49755, 49756, 49757 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 40->57 59 efplusarchitekci.com 109.234.165.161, 49723, 49724, 49725 O2SWITCHFR France 40->59 61 9 other IPs or domains 40->61 47 WerFault.exe 43->47         started        process15
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee
Threat name:
Script-PowerShell.Trojan.XWorm
Create hunting rule
Status:
Malicious
First seen:
2026-02-18 08:03:16 UTC
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=prolv2zagypirbpfzwyjkjxhl4p4nr7i7qsfpsbudcer72vuzhxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
08cd43a806108e96a9f7d7eaebdc3fd28e8bf772e5718463929f241795a99db3
Formbook
2a2b4598b2a424bba1b0f6e1f3837e1268d210291b22e52f67ee6b6c62a95f11
Formbook
40eb95d0ad64a1451d51d018778573335e94e4a28fc044c629795ef7f6caede8
Formbook
5a721e420c6fc129a198af6fd7458202c574cff68e0b60b4372a8af5767bd2d9
Formbook
9c0a21132a4bb82e3a9cac55be46caaf7d2733b5bd215c89fee0852453bdc4a9
Formbook
cc6de21ebaf5b1da25218987714320f9dcc9dd38acad71a9513a42323621a2ed
Formbook
dbadbbb3a09a0cfbb8f0ee1fe9b58e710ffb5cfaf5d48e86e10a0e8bb135042c
Formbook
error
Formbook
f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
Formbook
f424bb11bb0e71134361f14d3d698933095f8d464d710eb12c131652bbda5164
Formbook
f4b9eef8e4ca04b9bef203109eab8639641ea0e8ee40e740b8743b436124cac1
Formbook
+ 2'668 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260218-mrvzjag13a/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:telebot_framework
Create hunting rule
Author:vietdx.mb
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

PowerShell (PS) ps1 7c5cbaeb20361e8885e5cdb09526e75f1fc6c7e8fc2457c83418891feab4c9ee

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3780194/
  
Delivery method
Distributed via web download

Comments