MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8
SHA3-384 hash: 02ff66612906b16d3e0971cdee8e6d08791f92542568a0dc323f15225bf9624994fc3a41df6d58ee825eaa6a74784df1
SHA1 hash: 4ad979041495a1f340b2d711c38f407a631983f7
MD5 hash: 8186bf9af10e4bccdd1e5e28f981fab7
humanhash: north-kansas-xray-steak
File name:nJusti_pago.tar
Download: download sample
Signature Formbook
Create hunting rule
File size:987'648 bytes
First seen:2026-02-27 15:30:08 UTC
Last seen:Never
File type: tar
MIME type:application/x-tar
ssdeep 24576:JXaVXbFfDTwbaCoMoZ2j7IRUCAm504gmfZoeYCQ:NobVDsmn4j8t04gmmL
TLSH T1D525230AE0B99463E9F11170043766B6FEBB6F1155A0838B67343F3F3DB58B18529693
TrID 62.9% (.TAR/GTAR) TAR - Tape ARchive (GNU) (17/3)
37.0% (.TAR) TAR - Tape ARchive (file) (10/3)
Magika tar
Reporter FXOLabs
Tags:FormBook tar

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
BR BR
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:Justi pago.exe
File size:985'832 bytes
SHA256 hash: 4a6b8d26d298279a62f2a27aa6a8a9b67db22a2195f9e4de3c19dccb0a0f8126
MD5 hash: f46329e59f449cdcd96a1d78b4e96f59
MIME type:application/x-dosexec
Signature Formbook
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.28269.30489.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a1b8988fffa866e3b2cf43
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis signed soft-404
Link:
https://www.filescan.io/uploads/69a1b89110e80629d4f56dfc/reports/76fcde18-1f96-49e0-9627-3d3fcfa96da1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8
Verdict:
Malicious
File Type:
tar
Link:
https://opentip.kaspersky.com/ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8/results?tab=lookup
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 11:23:37 UTC
File Type:
Binary (Archive)
Extracted files:
37
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76gyd56yv5ry5rrctsbrzs2zdjvom6e2j5etrkyrio7jaku4u24a._file
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader discovery downloader rat spyware stealer trojan
Link:
https://tria.ge/reports/260227-tldxdsex4f/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Contacts third-party web service commonly abused for C2
Loads dropped DLL
Formbook payload
Formbook
Formbook family
Guloader family
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

tar ff8d81f7d8af638ec6229c831ccb591a6ae6789a4f4938ab1143be902a9ca6b8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments