MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 18 File information Comments

SHA256 hash:	7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3
SHA3-384 hash:	3751fcb6f82d64b2149e1d4312a6f44315b2ee20e519327880f5acdd379dd74ab017b09a851323704b08fde438539abe
SHA1 hash:	d29a4e98f9731f51c5c0c350b1e4ee104784e9f7
MD5 hash:	f3a152e9b77765c87d3169c94c2bb50b
humanhash:	item-purple-lion-winter
File name:	7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3
Download:	download sample
Signature	Formbook Create hunting rule
File size:	712'192 bytes
First seen:	2025-12-08 15:40:48 UTC
Last seen:	2026-01-09 15:02:55 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	21371b611d91188d602926b15db6bd48 (73 x Formbook, 60 x AgentTesla, 21 x RemcosRAT)
ssdeep	12288:qz7hU5I5yuNHIgzSFKxWltRohBfSTso93Uf3UTaF3cLPTOEfVAbpnBYgMBJjvUVk:qf+iN57Gtene3cETm6OJ9BXMzjv0SHp
TLSH	T193E42382AA816CA4D1007330C435CD740D7878B19E69736E87B9E2AFBC74793693B67D
TrID	39.1% (.EXE) UPX compressed Win32 Executable (27066/9/6) 38.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	adrian__luca
Tags:	exe FormBook UPX

UPX packed

This file is packed with UPX. We have therefore unpacked the file. Below is furhter information about the unpacked (de-compressed) file.

File size (compressed) :	712'192 bytes
File size (de-compressed) :	1'218'560 bytes
Format:	win32/pe
Unpacked file:	9b6a347c4a3da1ba88d2b5a4d1cb0c8182da7aa5dc36526496d7cd9ec98607b4

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

AutoIt PEPacker

Details

AutoIt

extracted scripts and files

PEPacker

a UPX version number and an unpacked binary

Link:

https://research.acce.ciphertechsolutions.com/results/300fd068-eb44-4262-b475-432469d22f99/

Malware family:

n/a

ID:

File name:

7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3

Verdict:

Suspicious activity

Analysis date:

2025-12-09 02:07:28 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/0cc0e7a6-799c-471f-84b1-a6abee90fd42

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/43626/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6936f204881313558a2b980c

Tags:

autorun virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Doina.Generic

Link:

https://www.hybrid-analysis.com/sample/7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-23T23:56:00Z UTC

Last seen:

2025-12-10T11:53:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/f3a0b842-8382-47f0-801a-629db937da18

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3

Verdict:

Malware

YARA:

5 match(es)

Tags:

AutoIt Decompiled Executable PE (Portable Executable) PE File Layout Suspect Win 32 Exe x86

Link:

https://app.malva.re/file/f3a152e9b77765c87d3169c94c2bb50b

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3/

Threat name:

Win32.Trojan.Doina

Status:

Malicious

First seen:

2025-11-24 04:09:50 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pzaebzph2c6xsmn42lerbarbseokavylkd2qgphpofb7yj65r6rq._file

Verdict:

malicious

Label(s):

formbook

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery upx

Link:

https://tria.ge/reports/251208-s44p4aek7w/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

UPX packed file

Drops startup file

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/eeeb1247-7bce-4430-ae96-46016166a7e1

Unpacked files

SH256 hash:

7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3

MD5 hash:

f3a152e9b77765c87d3169c94c2bb50b

SHA1 hash:

d29a4e98f9731f51c5c0c350b1e4ee104784e9f7

Link:

https://www.unpac.me/results/c4eb8f4c-2287-413f-aefb-6d530e22383d/

SH256 hash:

bca978330944842a1e41f96c687c7abb17c7e2c2dead97b32b0fe93350ab6ae4

MD5 hash:

f8a94a2ec81a38282cb918e98d5e6e8c

SHA1 hash:

a98a76b025575087d6a71b4c0f3ed4f12ec97be0

Link:

https://www.unpac.me/results/c4eb8f4c-2287-413f-aefb-6d530e22383d/

SH256 hash:

cf7d5f0d04da86a44901e988105faf4bed4d1e78a894d0a2a175ec8a21d0d7bc

MD5 hash:

f490fc45ede9b2d5f69b5d4b9b5cafb0

SHA1 hash:

411bd1ab0c940c519c8f3cecf6521c98d2e21cf1

Detections:

win_formbook_g0

Link:

https://www.unpac.me/results/c4eb8f4c-2287-413f-aefb-6d530e22383d/

Parent samples :

f626061c6431a018a00e7f4bf29904f1d4fe9fe093a5fe7fdcca08d0aaead56c
b103eafb63925e5c6c7104d234873c0213def2cbf50f6b1566026694311b4902
2aa5ce3561dc657a157460383c7c9b8db54ac8a6969627009c8d1062316a6130
e80c725e5944992a8fc9fee172ff5dad5863a60ff23bb929eee63eca0ad6a5c3
c478dba070eef873b89b19170d8a683188f82222f30385f55faef68a8725339b
986de4285a1b205a94670b37918398ea6b02ca39ad15dcda471ffab9a9273548
7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3
9b6a347c4a3da1ba88d2b5a4d1cb0c8182da7aa5dc36526496d7cd9ec98607b4

SH256 hash:

164092ed71677de9210ce01b117a24acf853c143ec49c28e33c896f605634310

MD5 hash:

34319257ebe659a34184260b5d01441d

SHA1 hash:

68ce2187724efdf1f3e94bd32cbed214df680782

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/c4eb8f4c-2287-413f-aefb-6d530e22383d/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/7e4040e5e7d0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7e4040e5e7d0bd7931bcd2c9108221911ca0570b50f5033cef7143fc27dd8fa3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerCheck__GlobalFlags Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectEncryptedVariants Create hunting rule
Author:	Zinyth
Description:	Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded

Rule name:	dgaagas Create hunting rule
Author:	Harshit
Description:	Uses certutil.exe to download a file named test.txt

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	TH_Win_ETW_Bypass_2025_CYFARE Create hunting rule
Author:	CYFARE
Description:	Windows ETW Bypass Detection Rule - 2025
Reference:	https://cyfare.net/