MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be
SHA3-384 hash: 7002c373e4c019f2aa5278f9c7dca2ef77d54c6f955545e3c3299cb51d163bd5766ce2135a3acd205af1058e9518573c
SHA1 hash: aea6a50ffa9d0d55bed67532eaa976933a5baa1e
MD5 hash: 75b0e7b9087968658ec613d2389cd73a
humanhash: louisiana-speaker-failed-cup
File name:PO PUR-2504003.gz
Download: download sample
Signature Formbook
Create hunting rule
File size:3'128 bytes
First seen:2025-12-09 09:27:51 UTC
Last seen:Never
File type: gz
MIME type:application/x-rar
ssdeep 96:jNSSQBnejmZUUMdJy+3/JJsUCYH9eFc+g:jkpZeiZWTyCjaYH9aE
TLSH T1CC513C80F4C4ACB2DEA80AB11BE7B4845C5951222C311996BAC9F770BFB1C2AB8046E0
TrID 61.5% (.RAR) RAR compressed archive (v5.0) (8000/1)
38.4% (.RAR) RAR compressed archive (gen) (5000/1)
Magika rar
Reporter cocaman
Tags:FormBook gz


Avatar
cocaman
Malicious email (T1566.001)
From: "Khrueathao, Kanyanat<kanyanat.khrueathao@nitto.com>" (likely spoofed)
Received: "from mail.surizia.com (mail.surizia.com [104.129.61.60]) "
Date: "8 Dec 2025 01:11:24 -0800"
Subject: "New PO_PV255427 - FRONT COVER 4-426-830-01 "
Attachment: "PO PUR-2504003.gz"

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PO PUR-2504003.js
File size:2'820'805 bytes
SHA256 hash: b8f47c426fffb89ab525c1829e78363e16b2eaa1bb2ac49d8f73de2f22727e48
MD5 hash: c442e5c8d70217d8027c56ba2e48d08c
MIME type:text/plain
Signature Formbook
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/ea8662c3-1b01-437c-bdd0-7e4dff6831da/
Detection(s):
Sanesecurity.Foxhole.JS_Rar_1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Suspicious-Rar-JS.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693705ccdb58e1a2c22ba0e9
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Labled as:
ABTrojan.SXOG
Link:
https://www.hybrid-analysis.com/sample/e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be
Verdict:
Malicious
File Type:
rar
First seen:
2025-12-08T19:26:00Z UTC
Last seen:
2025-12-10T10:49:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be/results?tab=lookup
Verdict:
inconclusive
YARA:
1 match(es)
Tags:
Rar Archive
Link:
https://app.malva.re/file/75b0e7b9087968658ec613d2389cd73a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-12-08 11:04:03 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4k2aikbg5govl7pub5lyzomjhqqmckk2743kxmiglpfpeukh4o7a._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251209-n3lexawmfy/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Process spawned unexpected child process
Malware Config
Dropper Extraction:
https://bvaco.com/js/panel/uploads/optimized_MSI.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz e2b4042826e99d55fdf40f578cb9893c20c1295aff36abb1065bcaf25147e3be

(this sample)

Formbook

Java Script (JS) js b8f47c426fffb89ab525c1829e78363e16b2eaa1bb2ac49d8f73de2f22727e48

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 b8f47c426fffb89ab525c1829e78363e16b2eaa1bb2ac49d8f73de2f22727e48
  
Dropping
Formbook
  
Dropping
MD5 c442e5c8d70217d8027c56ba2e48d08c

Comments