MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
SHA3-384 hash: 2c47957fece37615c9495ac8c411baf77028925ba36806d75a8c3233b0aca44c5c5c55309022c68f4f2acc106553038a
SHA1 hash: 827125a99db81d5905f9518ec88ea3bc966908d9
MD5 hash: d091653400c6db41ff12d0ae4efae481
humanhash: football-rugby-artist-minnesota
File name:f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
Download: download sample
Signature Formbook
Create hunting rule
File size:750'592 bytes
First seen:2025-09-05 13:02:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:LxUzMLrDng5yeKQCm4H8RziSi6L8vghGfcEJYvcs1saou39Hcp/31medguYhan2:NUYDng5tZ4HwLlwfHY03nHP
Threatray 819 similar samples on MalwareBazaar
TLSH T121F4129422E5E711C1FA6BF86871E33443B87E9A3412D7055FEA7DEB3C24B51A8443A3
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
e3e4c11ccd80352744ca8faa66e6ab61edb3b1d2339477856e291b37c076fdca.zip
Verdict:
Malicious activity
Analysis date:
2025-08-20 03:56:28 UTC
Tags:
arch-exec netreactor stealer formbook xloader
Link:
https://app.any.run/tasks/ea0bed2a-c4ca-4031-94da-1e846ad1a0d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/25548/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3393.32165.3058.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68badfb5eb163e0ec1848168
Tags:
virus spawn shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer lolbin obfuscated obfuscated packed packed packer_detected vbnet
Link:
https://www.filescan.io/uploads/68baea5720d0ee406d96b786/reports/4098a713-6dc8-46bf-8f33-d6bedb73e2b2/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-19T22:13:00Z UTC
Last seen:
2025-08-19T22:13:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/49865981-1602-4dcb-a997-75e842d51179
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.37 Win 32 Exe x86
Link:
https://app.malva.re/file/d091653400c6db41ff12d0ae4efae481
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2025-08-20 01:22:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fhtnlk6q5dptoo5nir6a6oy2exq4voutklmoyolus43xxttj4ca._file
Verdict:
malicious
Label(s):
unc_loader_037
Create hunting rule
formbook
Create hunting rule
Similar samples:
120449b84850ba5b41e73f85e2f178271dd1cd0b8743f1e5af6ef760aa39b199
Formbook
2c35c24bdd434cf329bb45dce96e7499cdd231f182c9e679a01770fc006aac69
Formbook
4824c73de2a144d3e4fbca50cb9fe2a81dda794258c6c9de45caf3572d17e145
Formbook
4da133b1ed7d9098b7b76b888472c069a08da9334cac292ea995c113d54812e3
Formbook
842dc19cf33d84748f6d47ed991f212b19c04e614b1fdec55afa8e7a428e612c
Formbook
b27f17a52b7a491a0887307a8e4984f283b8076c1e49d535863068c51758c8bc
Formbook
cba5a4c3813bbce1dfd6591d94bdd59e773c33d06d4a534da0b3cb527f0a9f7b
Formbook
error
Formbook
+ 809 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250905-q4hrhsar3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d1266723-8974-4d30-a9c7-2c8f8b7e3796
Unpacked files
SH256 hash:
f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
MD5 hash:
d091653400c6db41ff12d0ae4efae481
SHA1 hash:
827125a99db81d5905f9518ec88ea3bc966908d9
Link:
https://www.unpac.me/results/2d8cd4e9-3c9c-4863-b416-9b2c017ad3aa/
SH256 hash:
7b90dfa5a1e1cb97014bb839dfe66577109a9bfdebf37a1d943747fd6297ec54
MD5 hash:
175a8b2e9d8e3bf7a1920fc6b93371f4
SHA1 hash:
054b4bc3e37be1e79020b0a49fcbb308a5ce2916
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2d8cd4e9-3c9c-4863-b416-9b2c017ad3aa/
Parent samples :
17e0c7518d7529f547024299249ba52280ef8832a59065b51084d2363735f0c3
ed67e313856d24ddff3ab5d32f7c008091dba877cc81c20f231915ddc47aa495
7d3c778bdf96a09329ff48320375c3b3f902fb0c60a6dcc3e84c74c29a925ad7
b825530e6ae318301d55258b6cb986139eb8305282ec8f2d5c10ddd85372b5e8
585f964ab32e7e8b968f4d6f3c8395d757abc7bd22afc3ea04f31fd381fb4c5e
e716163f54adee3d2033774eb284550be239f8fa3027ce66724173f822a1131d
b61f96d853d5363fbd77d8b465c9394bb606c7e5e44717aa9230098c2caea281
f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
bb17aae78c989184f3618223ea0e06d307fee6a6467ba61bb4b9e15ca42cf06c
2e6ea2095b92809d61b9033fea61c32f672aedda1d736b6a38925ca19d27c16d
SH256 hash:
c6d60625cf125f8667269925e9845d37d979a101cc7143590bd1dd28a654e6e2
MD5 hash:
51734f0ed37a35ac3b2bfbf539d35ffb
SHA1 hash:
cd569180511ec590b545ef8d130ad92d85dacf44
Link:
https://www.unpac.me/results/2d8cd4e9-3c9c-4863-b416-9b2c017ad3aa/
SH256 hash:
64e379cd41e44400d2c8ffb19e22ec71bd08d4cfecdab02cc2f1df021307cf47
MD5 hash:
ad4ec87a6a114f4b74d1a3fe2608aa7c
SHA1 hash:
feff252261dd3771bb76cd9baf90bef24acf04f1
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/2d8cd4e9-3c9c-4863-b416-9b2c017ad3aa/
SH256 hash:
a2ea1de1cb0e35fb5a8fb9b94eb72cadf5102dbffb9abae826b7405b87591e6a
MD5 hash:
6af68eb407618acf9aa7c59631859c1a
SHA1 hash:
1807633062a748315ee78afafb7fc8968abb0360
Link:
https://www.unpac.me/results/2d8cd4e9-3c9c-4863-b416-9b2c017ad3aa/
Malware family:
zgRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f94f36ad5e87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/25548/

Comments