MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24
SHA3-384 hash: 21c3c875c6c299c9c91b6f5a09d7688c1297905f664b47274e6adf1bb68015855693d29541e800a739f15a231fbe04db
SHA1 hash: 17fdc28c9903a03584e23db97a8d234e5fd7bdda
MD5 hash: 3b6b415d21deca9968d791146a4dbe21
humanhash: purple-carpet-vegan-papa
File name:3b6b415d21deca9968d791146a4dbe21.lnk
Download: download sample
Signature Formbook
Create hunting rule
File size:2'332 bytes
First seen:2026-03-03 14:40:56 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/x-ms-shortcut
ssdeep 24:8Q/BHYVKVWP+/CWesqVEV5yAoq3UMkWXUfpjAUfR+/E4I0arab/WlY:805aZsmEV5yAoq3HvjyAIZabi
Threatray 2'708 similar samples on MalwareBazaar
TLSH T11B4127141BE51314E6F39B79B8BAA31189767855EE32CF8D0250618C24A1620F1B6F2B
Magika lnk
Reporter abuse_ch
Tags:FormBook lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
414
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
LNK
Details
LNK
a command line and any observed urls
Link:
https://research.acce.ciphertechsolutions.com/results/c062a3f3-06c4-4681-9f3d-3d94a9604b1e/
Detection(s):
SecuriteInfo.com.VBS.Obfus-101.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28759.LnkHeur.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.LNK.PowerShell.Download-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26479.PshHeur.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.KingForADaypshell.20231121.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.PkillEasyPshellDLAndDetonate.20240116.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a6f31f002d37d5c98325b9
Tags:
ransomware xtreme shell
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24
Verdict:
Malicious
File Type:
lnk
Detections:
Trojan-Downloader.PowerShell.NanoShield.sb Trojan-Downloader.PowerShell.Agent.sb HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb Trojan.WinLNK.Agent.sb Trojan.Win32.Agent.sb HEUR:Trojan-Downloader.WinLNK.Powedon.a HEUR:Trojan.WinLNK.Agent.gen HEUR:Trojan.Multi.Powedon.a HEUR:Trojan.Multi.Agent.gen
Link:
https://opentip.kaspersky.com/e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1877537
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows shortcut file (LNK) starts blacklisted processes
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1877537 Sample: aF8WKfytEp.lnk Startdate: 03/03/2026 Architecture: WINDOWS Score: 100 47 fil.ydns.eu 2->47 49 yaso.su 2->49 51 pastefy.app 2->51 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 21 other signatures 2->67 10 powershell.exe 17 31 2->10         started        15 svchost.exe 1 1 2->15         started        17 spoolsv.exe 2->17         started        19 spoolsv.exe 2->19         started        signatures3 process4 dnsIp5 53 fil.ydns.eu 213.142.149.20, 49682, 49698, 80 HOSTING-DUNYAMTR Turkey 10->53 43 C:\Users\user\AppData\...\tmpE830.tmp.js, ASCII 10->43 dropped 77 Suspicious execution chain found 10->77 79 Loading BitLocker PowerShell Module 10->79 21 wscript.exe 1 10->21         started        24 conhost.exe 1 10->24         started        55 127.0.0.1 unknown unknown 15->55 file6 signatures7 process8 signatures9 69 Suspicious powershell command line found 21->69 71 Wscript starts Powershell (via cmd or directly) 21->71 73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->73 75 2 other signatures 21->75 26 powershell.exe 24 21->26         started        process10 dnsIp11 57 pastefy.app 49.13.5.8, 443, 49692 HETZNER-ASDE Germany 26->57 59 yaso.su 172.67.213.5, 443, 49696 CLOUDFLARENETUS United States 26->59 45 C:\Users\user\AppData\...\1agyjnje.cmdline, Unicode 26->45 dropped 81 Writes to foreign memory regions 26->81 83 Modifies the context of a thread in another process (thread injection) 26->83 85 Injects a PE file into a foreign processes 26->85 31 RegAsm.exe 26->31         started        34 csc.exe 3 26->34         started        37 conhost.exe 26->37         started        file12 signatures13 process14 file15 87 Found direct / indirect Syscall (likely to bypass EDR) 31->87 41 C:\Users\user\AppData\Local\...\1agyjnje.dll, PE32 34->41 dropped 39 cvtres.exe 1 34->39         started        signatures16 process17
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.NanoShield
Link:
https://tip.neiki.dev/file/e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24
Threat name:
Win32.Trojan.WinLnk
Create hunting rule
Status:
Malicious
First seen:
2026-03-02 06:25:03 UTC
File Type:
Binary
AV detection:
18 of 36 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4jrzdr4ev6q6t5j7gxbqt3ag7wvg36cqwi7oxyqcrpj6mqxmtusa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
39d4b2c2f232d51c44e28e77ef48a8f57803f053f7ab864de307f6a45fe5705e
Formbook
44eb0ca230176e7653e8287dac64b16e4cfde7088635498e52d802d8a3dcb7e9
Formbook
5a721e420c6fc129a198af6fd7458202c574cff68e0b60b4372a8af5767bd2d9
Formbook
5aa4328001eb57a54a716ba3c7f0fa7f6b8c390828ea8b33a3c85dfb2838a512
Formbook
71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6
Formbook
b79268daae3fcb3b75bdb26c6dd2d2224626369a32469b22c5f36b8bd0fe9f04
Formbook
error
Formbook
f0827019d570ad314a99dd69590b0c83639c60b1dcac77d708cd6d4959383757
Formbook
f0a98a72b7b1c86ac4ce457e7978a46e8af53393e1007d2fe94306bb042388d1
Formbook
f424bb11bb0e71134361f14d3d698933095f8d464d710eb12c131652bbda5164
Formbook
+ 2'698 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260303-r2nenadw3k/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Badlisted process makes network request
Boot or Logon Autostart Execution: Port Monitors
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e26391c784af/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e26391c784afa1e9f53f35c309ec06fdaa6df850b23eebe2028bd3e642ec9d24

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.
Rule name:Script_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies scripting artefacts in shortcut (LNK) files.
Rule name:SUSP_LNK_PowerShell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference to powershell inside an lnk file, which is suspicious
Rule name:SUSP_LNK_SuspiciousCommands
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects LNK file with suspicious content

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments


Avatar
commented on 2026-03-03 15:38:08 UTC

Payload URLs:
http://fil.ydns.eu/sleahygtr/sleaked.js
https://pastefy.app/sLC7Jpkp/raw
https://yaso.su/raw/UpxC8OJX
http://fil.ydns.eu/kelechi/rnSepIe.txt