MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 11 File information Comments

SHA256 hash:	c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716
SHA3-384 hash:	b632dd168f8d44ea0743a7c6cdee3b216be737a524780b40810eed6967a55f7360d1d5c3621249c0c8d75f4f27474bf6
SHA1 hash:	ed48d04868a605453e52a482df5f5fdd287d609e
MD5 hash:	e77ae727c6534335f56804189e87bfa3
humanhash:	twenty-juliet-failed-mississippi
File name:	CV RESUME.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'298'432 bytes
First seen:	2025-06-28 10:24:38 UTC
Last seen:	2025-07-07 15:14:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0b768923437678ce375719e30b21693e (143 x Formbook, 25 x MassLogger, 22 x SnakeKeylogger)
ssdeep	24576:L5EmXFtKaL4/oFe5T9yyXYfP1ijXdaiGM5Xgt5bvDOutXK:LPVt/LZeJbInQRaiv5QRi8
Threatray	4'196 similar samples on MalwareBazaar
TLSH	T1EB55CF0273D1D066FF9B92334B5AF6115BBC79260123AA2F13981D79FA701B1463E7A3
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	threatcat_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

626

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

CV RESUME.exe

Verdict:

Malicious activity

Analysis date:

2025-06-28 10:27:53 UTC

Tags:

auto-startup

Link:

https://app.any.run/tasks/f80471ce-81f5-4494-b431-55a31e655366

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/11424/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.6326.5381.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=685fc3630fceda814b46952c

Tags:

autorun autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a file

Creating a process from a recently created file

Launching a process

Сreating synchronization primitives

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug autoit compiled-script entropy fingerprint keylogger microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/685fc36a45e80b29f8a3410b/reports/f4d93ebd-19a3-4a8b-b715-9fc57ce2b99a/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/690ca399-35a1-4c0d-abb1-f8c8839a27bc

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-06-27 03:58:16 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y3h25ghkcx6555ekht3glbmuvq4lv4bc7iiwxel6m7y5isnzk4la._file

Verdict:

malicious

Label(s):

unc_loader_036

Formbook

3a85ae54aa037e1651b9c67673d6c6f9fd723b92b111431ce0d285fcb99aff17

Formbook

4857ee7f02efc4f90333790708097f4ad955beaaf41cdfe6ba11a5385a1ba8d5

Formbook

75d631734ecc86eee16c3775b08cf678d5ec0a24dbaa4b9edc09545b401dfa84

Formbook

88795ccbb26f764aa31d3e28c8df85f970334a67bc61b06682745b185900ea75

Formbook

9bd10c38c3710f535c41cfef05fb1e5e8275d918ddacdb67cff8a576140405c4

Formbook

c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

Formbook

error

Formbook

+ 4'186 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery

Link:

https://tria.ge/reports/250628-mfwrpaaj5s/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

AutoIT Executable

Suspicious use of SetThreadContext

Drops startup file

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/620d4876-d5ab-4b48-9f15-e6cbb09eee64

Unpacked files

SH256 hash:

c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

MD5 hash:

e77ae727c6534335f56804189e87bfa3

SHA1 hash:

ed48d04868a605453e52a482df5f5fdd287d609e

Link:

https://www.unpac.me/results/7cfea0ec-b768-4998-a355-2f086d2af721/

SH256 hash:

d55ddcd782cbf2a12dc53c70efd1089dbc66634ace9144167a2f7e460935a1fe

MD5 hash:

2ff9f42b954972e24ba3b4e36a1407e0

SHA1 hash:

cdbbbecc0986d6a87e82095abc97d559112f4caf

Link:

https://www.unpac.me/results/7cfea0ec-b768-4998-a355-2f086d2af721/

SH256 hash:

f3f85b8d84daa901761b92cf13c7167cc3d41d23e66ac5a125866e62afe3e7f7

MD5 hash:

98ce1c825c7bc37c82f04e906c9cf52e

SHA1 hash:

b5eb7f73675b109e9cdf7a9f3f59ba1f82470fb7

Link:

https://www.unpac.me/results/7cfea0ec-b768-4998-a355-2f086d2af721/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c6cfae98ea15/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

exe c6cfae98ea15fddef48a3cf6658594ac38baf022fa116b917e67f1d449b95716

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/11424/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample