MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 18


Intelligence 18 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39
SHA3-384 hash: b3b931984d2fff4a233897a7baf042c532b0f61571136e6362bb20a4423e85663ffd43b9f89a3ade936b21578e9b7989
SHA1 hash: d589e401589d8f55c479c906aea19c541e6bde3e
MD5 hash: d2d7a606998c511fd96728b2bb660078
humanhash: romeo-sweet-steak-mobile
File name:33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39
Download: download sample
Signature Formbook
Create hunting rule
File size:873'992 bytes
First seen:2025-10-09 14:54:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:XbhqhqhdCcFe/BChrFt4Zv9sp2GE/sl7lt1EvbXZVMr56UmlMPkR:XbhqhqhHSvZl6Eq7/Gv9VM7ml7
Threatray 2'015 similar samples on MalwareBazaar
TLSH T11105E0513EC69D03C5F78AB90DA0DF384B6D7DCBA430C1AE6ADE9DAFB8947401C0855A
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4504/4/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
OVERDUE INVOICES.zip
Verdict:
Malicious activity
Analysis date:
2025-09-25 12:06:49 UTC
Tags:
arch-exec formbook stealer xloader
Link:
https://app.any.run/tasks/0da69629-6d1b-4340-8556-190d9f9c3bc9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31744/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e7cf7b8b7b147cc4b62dd6
Tags:
virus spawn msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature negasteal obfuscated packed packed packer_detected signed vbnet
Link:
https://www.filescan.io/uploads/68e7e748c74bd2958b174c62/reports/14663965-d15a-48a8-8203-7ea6c22daf13/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-24T22:07:00Z UTC
Last seen:
2025-10-07T08:11:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39/results?tab=lookup
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d4954a06-cfb9-4334-ae36-df029abaa0e5
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.36 Win 32 Exe x86
Link:
https://app.malva.re/file/d2d7a606998c511fd96728b2bb660078
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39/
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 02:28:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gpr4howpv5adlujvaouikxs7dql3laa6vgeoolrlxe42wwgbf44q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_078
Create hunting rule
unc_loader_037
Create hunting rule
Similar samples:
31067e4964e4e4c454217fd32a1e68221ae3f470be4faf28a85e48eaccf39162
Formbook
4f9df0124b362959024305dead04b4637ff379d2cc1b94962fddc9acd039bad4
Formbook
50c0d11e8f7153f1129643673ded00e74fe4cb9e929b0a97d9c5bcf983805e41
Formbook
ab560f8779a244097805aae7b6c95eecd6de7909c9ca0bffa7f6a7fda28eb6b2
Formbook
ada71baf53aaee00fdd7839175e9f688dea0365cd09a500c68187d3565c2c1b0
Formbook
b3c42ac0d9356260564780ae62be7b241024aa8da3df358f48a1097e6926d86b
Formbook
e087ef304badb09dbb8b38a88337c5e2d4a0d3fc174d75817e622fdd8f5a6722
Formbook
error
Formbook
+ 2'005 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook defense_evasion discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251009-t8k9zswxay/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7c0f3215-a1b9-4f71-b747-3ee19e95d6b3
Unpacked files
SH256 hash:
33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39
MD5 hash:
d2d7a606998c511fd96728b2bb660078
SHA1 hash:
d589e401589d8f55c479c906aea19c541e6bde3e
Link:
https://www.unpac.me/results/7f12593a-22d6-43ac-b1de-0297636466d6/
SH256 hash:
57dacc029e706ae184b9f8c3f8efe78b04919967b622d84261d2bf6cc7b1ff62
MD5 hash:
e0d6c5d15b34e08ed4602a1f2a22dd00
SHA1 hash:
129df54a2a54863c5fa96531d12be6702ed302cc
Link:
https://www.unpac.me/results/7f12593a-22d6-43ac-b1de-0297636466d6/
SH256 hash:
a468fcb84f57afdccfcd73c26c9b54e90a7836adf88c9810700debf6a6ea5cb7
MD5 hash:
f56593d3d027b2f65925a6b2d9421bed
SHA1 hash:
74993174439e3bbb2d052098ad2e303e6ecf3e89
Link:
https://www.unpac.me/results/7f12593a-22d6-43ac-b1de-0297636466d6/
SH256 hash:
01651992f62bf7bad90c2336cc34eabd3796c1665aa7f1ad4abd890ac746b0ca
MD5 hash:
eb7c71336f2b16170387c237abce3c84
SHA1 hash:
c1c5cb45da9520a7deb214a59a574546709fded9
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7f12593a-22d6-43ac-b1de-0297636466d6/
SH256 hash:
fb9c14e9db60c4bf660b45586e35ba1413be52f94ca8110fb7fe39c13b7a7e2d
MD5 hash:
e43d4e20310d5b28cc5124d585ae1beb
SHA1 hash:
23853906f140e6b7cbc547fb7da0f33a9e203667
Link:
https://www.unpac.me/results/7f12593a-22d6-43ac-b1de-0297636466d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33e3c3bacfaf4035d13503a8855e5f1c17b5801ea988e72e2bb939ab58c12f39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31744/

Comments