MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 6 File information Comments

SHA256 hash:	d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5
SHA3-384 hash:	9d77778c1d493441fed8dbd21ff5513b4017418ed9c362ccc7567970c228e7bd67383e3068ddf055c77eee2602971455
SHA1 hash:	5e47d4a129fab7df422117a5cf6dd2d3f849241e
MD5 hash:	10b7506eb8d2e032eed937c79d0708cf
humanhash:	east-carpet-magazine-angel
File name:	SecuriteInfo.com.Trojan.PackedNET.3387.17936.7562
Download:	download sample
Signature	Formbook Create hunting rule
File size:	724'992 bytes
First seen:	2025-08-28 04:16:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Gs0OWiCgJ5BxKy/d0bK2WTdnEG2QuHg+ZL9xEy+e3C3diQJYf:G1W5B9d9nEG2FTwyTKiSY
Threatray	561 similar samples on MalwareBazaar
TLSH	T1C2F412A4261AC402C1822BB10CD6E371537C1DD9E805E78B9AEFFED77D6E64439853CA
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Trojan.PackedNET.3387.17936.7562

Verdict:

No threats detected

Analysis date:

2025-08-28 04:18:13 UTC

Tags:

netreactor

Link:

https://app.any.run/tasks/5eb9c2ad-452f-433a-bc71-03bb28877300

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/23965/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.3387.17936.7562.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68afd85c3e988eb6ab82de97

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook krypt packed unsafe

Link:

https://www.filescan.io/uploads/68afd85d1c81c34281d622cb/reports/d2bd9667-58e3-4ab0-9999-b6db77c99d47/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-08-27T23:45:00Z UTC

Last seen:

2025-08-27T23:45:00Z UTC

Hits:

~100

Link:

https://opentip.kaspersky.com/d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5/results?tab=lookup

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eea5330b-6dbd-4601-97da-71780d1e6618

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5

Gathering data

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5/

Threat name:

ByteCode-MSIL.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-08-28 03:35:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2jq6mhpg5cj63ihiot6ljg7efflhfftll5mrdmihfl73uweha62q._file

Verdict:

malicious

Label(s):

unc_loader_037

formbook

Formbook

617bf6800d42409a74ae0539d3e3ffc412e6c4bb137c232159c3ca946bc0fcdd

Formbook

946a35262c7946b1314dfdda75f9f95f08bc35253b3cd070ee8561d8a4d27831

Formbook

992566058d79274af50ccdb71fce3d8c9672d855d19d5b809632d20020780657

Formbook

9cc2ff7618612a455e70616103849442a0fa1fc71fb0843f521fc99a24c51bd5

Formbook

bc16ea0319477e9b3f88c99b56dc71baf4f7f21d69274f391362f37fb763cf19

Formbook

e59670071cfffff991781690eb247ba893808bc8a6710e6f1097b53c3e1d121d

Formbook

error

Formbook

+ 551 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:d26z discovery rat spyware stealer trojan

Link:

https://tria.ge/reports/250828-ewk15a1qv5/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Formbook payload

Formbook

Formbook family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9b0e8f0a-796a-4950-82d0-c2bed6245ba8

Unpacked files

SH256 hash:

d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5

MD5 hash:

10b7506eb8d2e032eed937c79d0708cf

SHA1 hash:

5e47d4a129fab7df422117a5cf6dd2d3f849241e

Link:

https://www.unpac.me/results/5b0bcad0-3a10-4567-9709-594acca334fd/

SH256 hash:

97f1eabec5b1e1dd5e3772303ecf9d0fa8861663b5c5eb36d21dda2296922ff2

MD5 hash:

23ab07d7c5374d84166168d5e3acd3a1

SHA1 hash:

2ae165f7c281be511cc43132db2b2b14b168ea7b

Link:

https://www.unpac.me/results/5b0bcad0-3a10-4567-9709-594acca334fd/

SH256 hash:

004761a095b30145f9d2c92254dd86d12e6a03b79001bd7878c2f8d80cf8aad2

MD5 hash:

0857d0e5e7363782b446a404cf0f59c7

SHA1 hash:

b3cc6f3e8c1219b563735f955d014d487e4b4cb8

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/5b0bcad0-3a10-4567-9709-594acca334fd/

SH256 hash:

924971edd391379fbed851351b25e82db6b98027b25df3d1d060989fb34d0e95

MD5 hash:

1549de5ccfc4e742e92c951bafc0caeb

SHA1 hash:

e5b8e4e35a0bdedef012b3e3be35f6237c0b95c5

Link:

https://www.unpac.me/results/5b0bcad0-3a10-4567-9709-594acca334fd/

SH256 hash:

94e62c0049fcc25c567fc6c0a46ca9bcdb8ad215f9487fedb9f780b216108b59

MD5 hash:

1fd53afdf3001156d7e25fc9d376472e

SHA1 hash:

28a6a8df92888f4440bc1d118b8d14768d5daec3

Detections:

win_formbook_w0

win_formbook_g0

win_formbook_auto

FormBook

Windows_Trojan_Formbook

Formbook

Link:

https://www.unpac.me/results/5b0bcad0-3a10-4567-9709-594acca334fd/

Parent samples :

8081b1db0c96891c7c7c032b7cdaabf10b3e55d02f24508fc5fb97a78d57196c
d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5
0602d4287c73ec32f73636d2b3636867a484ac664fdf0ebd4560bcc282640eb0
f3705c4b168ab9da53cd547d088b5c594115e5e545d3694ecd76c7e42f1da4ec
badb58b21a2d069202fedc125e7ccb003a204013445c85f0bd0d4394d0d7809e
2c29bae7cd23f905b8fdbf4f382abc43c8fb560730744c454df10475dc1bee4b
ec394392a4f1746a6166f78bcefb94ad4b5a4e4fe224fd5c3fa1ff93fb9e26a5
3f56b75e0a22acce7e85ba3b5e24ba8ccdfc573929376671a0ababd8a5db6686

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d261e61de6e8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/d261e61de6e893eda0e874fcb49be4295672966b5f5911b1072affba588707b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23965/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample