MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e
SHA3-384 hash: e6597818507546f498e0a2c1653b8b3a4e38ea473ab158e7cec841e67fc196378fdc85ba12923300410ffe723d4e0d51
SHA1 hash: 80894ac945204dee7e9e65919af32f55267e29ff
MD5 hash: 94c4654065f3878fd4b14ef7ca8bb510
humanhash: solar-dakota-monkey-missouri
File name:2026-os árajánlatkérés.bat
Download: download sample
Signature Formbook
Create hunting rule
File size:2'808 bytes
First seen:2026-03-10 08:00:58 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 48:wR8vOhOklAnFpDZLXUrG8CPb7IK+H+YKH6GG9oaRq3weMErOKKQSuBLf:wR8fXFp1LXUrGJIKWKaGGG7ME68Supf
Threatray 2'471 similar samples on MalwareBazaar
TLSH T1BF51A68F358CD34DF803023117778B12CEE6D69F00341FA4D08A70939BE7A569A8E588
Magika txt
Reporter smica83
Tags:bat FormBook HUN

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
HU HU
Vendor Threat Intelligence
No detections
Malware family:
n/a
ID:
1
File name:
2026-os árajánlatkérés.bat
Verdict:
No threats detected
Analysis date:
2026-03-10 08:02:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aae489c5-f851-47b4-a84e-c23a4c793321

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/56914/
Detection(s):
SecuriteInfo.com.PUA.IA.Suspicious.35545169.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69afcfdee41a5a099931b0cd
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 cloudeye obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69afcfda9eaae8465946e9ed/reports/69ac2cd5-3568-43b5-8e8f-2b27145a25c2/overview
Verdict:
Suspicious
Labled as:
PowerShell/CloudEye.DV trojan
Link:
https://www.hybrid-analysis.com/sample/fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e
Verdict:
Malicious
File Type:
ps1
Detections:
Trojan-Downloader.PowerShell.Agent.sb Trojan.PowerShell.Strion.sb
Link:
https://opentip.kaspersky.com/fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e/results?tab=lookup
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1881049
Signature
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a MSI (Microsoft Installer) remotely
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Sigma detected: Potential PowerShell Command Line Obfuscation
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1881049 Sample: 2026-os #U00e1raj#U00e1nlat... Startdate: 10/03/2026 Architecture: WINDOWS Score: 100 56 www.nexratech.xyz 2->56 58 www.urbanclean-services.fr 2->58 60 25 other IPs or domains 2->60 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Yara detected FormBook 2->74 78 6 other signatures 2->78 11 powershell.exe 17 2->11         started        14 cmd.exe 1 2->14         started        16 svchost.exe 1 1 2->16         started        signatures3 76 Performs DNS queries to domains with low reputation 56->76 process4 dnsIp5 98 Writes to foreign memory regions 11->98 100 Found suspicious powershell code related to unpacking or dynamic code loading 11->100 102 Hides threads from debuggers 11->102 108 3 other signatures 11->108 19 dxdiag.exe 6 11->19         started        23 conhost.exe 11->23         started        25 msiexec.exe 11->25         started        31 11 other processes 11->31 104 Suspicious powershell command line found 14->104 106 Obfuscated command line found 14->106 27 powershell.exe 14 18 14->27         started        29 conhost.exe 14->29         started        48 127.0.0.1 unknown unknown 16->48 signatures6 process7 dnsIp8 62 142.250.190.238, 443, 49727 GOOGLEUS United States 19->62 80 Maps a DLL or memory area into another process 19->80 82 Hides threads from debuggers 19->82 84 Installs a MSI (Microsoft Installer) remotely 19->84 88 2 other signatures 19->88 33 hchH8SdV.exe 19->33 injected 37 msiexec.exe 19->37         started        64 drive.google.com 142.251.211.142, 443, 49714 GOOGLEUS United States 27->64 66 drive.usercontent.google.com 142.251.211.97, 443, 49715, 49728 GOOGLEUS United States 27->66 86 Found suspicious powershell code related to unpacking or dynamic code loading 27->86 signatures9 process10 dnsIp11 50 lytostech.online 69.6.249.155, 49748, 49749, 49750 UNIFIEDLAYER-AS-1US United States 33->50 52 www.downsdk.com 192.249.94.211, 49756, 49757, 49758 ULAN-NETWORK-LIMITEDULanNetworkLimitedHK United States 33->52 54 10 other IPs or domains 33->54 68 Maps a DLL or memory area into another process 33->68 39 DWWIN.EXE 13 33->39         started        signatures12 process13 signatures14 90 Tries to steal Mail credentials (via file / registry access) 39->90 92 Tries to harvest and steal browser information (history, passwords, etc) 39->92 94 Modifies the context of a thread in another process (thread injection) 39->94 96 3 other signatures 39->96 42 chrome.exe 39->42         started        44 firefox.exe 39->44         started        process15 process16 46 WerFault.exe 4 42->46         started       
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e/
Verdict:
Malicious
Threat:
Trojan.PowerShell.Strion
Link:
https://tip.neiki.dev/file/fdfac85d4b1e626b1ef7645afd5ddc84ed619d705a9b87b6d8e3560fa295a57e
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-03-10 08:01:41 UTC
File Type:
Text (Batch)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7x5mqxkldzrgwhxxmrnp2xo4qtwwdhlqlknypnwy4nla7iuvuv7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15f59282ba4232125d82540bcaf82e77047b209ca34c092c84061cd43e835ace
Formbook
161a1575e84ea9637ad7d7905c008f06b2146dc5d46bb44b76763601d26c39e6
Formbook
38c41cc8ae7a37a03db5919d8972d76fd7c8aced886fd25c1ef912927e5d8df6
Formbook
5ca2ad629da920bdd3ee4316019a390d254df0bda2918e9fd57ff623d7fba5a3
Formbook
64864ac10f2be65fe3a7c632f629c20187fe9ca2181f97919d5c46f017a9e31c
Formbook
735d0d3e060109a3bbd3d986a45a3d1fbc50d51fd4231c330dbb94ee8aa7576b
Formbook
abd99bf17b7cf13044a064cfd6d73d38a19706ba46222e05e4893b188fbe9cd9
Formbook
b0e8491d0558fe31d0e2f591e7c09beb20321b5551b008dec47da8c1b14c28ca
Formbook
bdcbaac3992e430d7db16978bc9b7ae1a4b6da4a04d471054367ff7ca4e1c37b
Formbook
error
Formbook
f6469663f0a38647f54764309023eefa956a37e381b7b6fabe2882b75464bd8b
Formbook
+ 2'461 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader discovery downloader execution persistence privilege_escalation
Link:
https://tria.ge/reports/260310-jws4ysfw3j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Contacts third-party web service commonly abused for C2
Use of msiexec (install) with remote resource
Badlisted process makes network request
Guloader family
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/56914/

Comments