MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 20


Intelligence 20 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16
SHA3-384 hash: 288522336b866132fc965f221e4fcbd82b900303b8d8bdaba92861db24cd296eb10f5a95b009a8e9fe7aca25bd7c98e6
SHA1 hash: f878c2d6c10f14662f074a4fe7d3504f2da3636b
MD5 hash: 263bef23652302d7bfff37ed315f00cb
humanhash: high-red-earth-india
File name:Purchase Order-PO66576.cmd
Download: download sample
Signature Formbook
Create hunting rule
File size:1'147'392 bytes
First seen:2026-04-01 11:54:44 UTC
Last seen:2026-05-08 12:21:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'917 x AgentTesla, 19'820 x Formbook, 12'309 x SnakeKeylogger)
ssdeep 24576:P/NOASOd0Z2B5HN1mZZ/5xaLHBLA3XPK1riHdx47FVi5PUpA:tFSOdTXMnazO0rWHyVi5UpA
Threatray 2'674 similar samples on MalwareBazaar
TLSH T1F635F1442369E902D0A65FF00D71D3B847B96D85A412D313CFF6BDEBBC7A7916809293
TrID 21.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
21.2% (.EXE) Win64 Executable (generic) (6522/11/2)
16.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
14.6% (.EXE) Win32 Executable (generic) (4504/4/1)
6.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
CH CH
Vendor Threat Intelligence
Gathering data
Malware family:
formbook
Create hunting rule
ID:
1
File name:
01042026_0240_31032026_PurchaseOrder-PO66576.rar
Verdict:
Malicious activity
Analysis date:
2026-04-01 11:55:12 UTC
Tags:
arch-exec auto-startup susp-lnk formbook xloader stealer
Link:
https://app.any.run/tasks/83bed9f7-7985-4052-acf8-d1a7cf99c992

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/60057/
Detection(s):
SecuriteInfo.com.Win32.SuspectCrc.17001.4783.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cd07a66363ca5d27f08b51
Tags:
autorun virus shell msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook lolbin masquerade obfuscated packed similar-threat tracker vbnet
Link:
https://www.filescan.io/uploads/69cd07a42346b9da57b6ae81/reports/48fe6f65-7ec3-46a3-9f19-28b536453b2f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-03-31T03:55:00Z UTC
Last seen:
2026-04-03T10:00:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Win32.Noon.sb Trojan-Spy.Noon.HTTP.ServerRequest Trojan.MSIL.Inject.sb PDM:Trojan.Win32.Generic Backdoor.Agent.HTTP.C&C VHO:Trojan-PSW.Win32.Stealer.gen Trojan.MSIL.Dnoper.sb Trojan.MSIL.Crypt.sb Trojan.MSIL.Agent.sb HEUR:Trojan-Spy.MSIL.BPLogger.gen
Link:
https://opentip.kaspersky.com/cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16/results?tab=lookup
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9edca73-30ba-48bc-8212-04793f0816eb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1892043
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows shortcut file (LNK) contains suspicious command line arguments
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1892043 Sample: Purchase Order-PO66576.cmd.exe Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 53 www.urbanulse.site 2->53 55 www.skygraduation.id 2->55 57 18 other IPs or domains 2->57 65 Suricata IDS alerts for network traffic 2->65 67 Antivirus detection for URL or domain 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 12 other signatures 2->71 11 Purchase Order-PO66576.cmd.exe 8 2->11         started        15 powershell.exe 19 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 process4 dnsIp5 43 C:\Users\user\AppData\...\HuXnAtJKyepdoZ.exe, PE32 11->43 dropped 45 C:\...\HuXnAtJKyepdoZ.exe:Zone.Identifier, ASCII 11->45 dropped 47 C:\Users\user\AppData\...\2casrv0sq10.ps1, ASCII 11->47 dropped 49 C:\...\Purchase Order-PO66576.cmd.exe.log, ASCII 11->49 dropped 81 Injects a PE file into a foreign processes 11->81 20 Purchase Order-PO66576.cmd.exe 11->20         started        23 HuXnAtJKyepdoZ.exe 3 15->23         started        25 conhost.exe 1 15->25         started        51 127.0.0.1 unknown unknown 17->51 file6 signatures7 process8 signatures9 73 Maps a DLL or memory area into another process 20->73 27 GP7i8miZy1.exe 20->27 injected 75 Multi AV Scanner detection for dropped file 23->75 77 Injects a PE file into a foreign processes 23->77 79 Unusual module load detection (module proxying) 23->79 29 HuXnAtJKyepdoZ.exe 23->29         started        process10 process11 31 wextract.exe 13 27->31         started        signatures12 83 Tries to steal Mail credentials (via file / registry access) 31->83 85 Tries to harvest and steal browser information (history, passwords, etc) 31->85 87 Modifies the context of a thread in another process (thread injection) 31->87 89 4 other signatures 31->89 34 JlBWdfb5tuW.exe 31->34 injected 37 chrome.exe 31->37         started        39 firefox.exe 31->39         started        process13 dnsIp14 59 rydfotografia.com 69.6.233.127, 49728, 49729, 49730 UNIFIEDLAYER-AS-1US United States 34->59 61 clubgea.cl 190.110.124.28, 49732, 49733, 49734 ServiciosInformaticosHostnameLtdaCL Chile 34->61 63 12 other IPs or domains 34->63 41 WerFault.exe 4 37->41         started        process15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.34 Win 32 Exe x86
Link:
https://app.malva.re/file/263bef23652302d7bfff37ed315f00cb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16
Threat name:
ByteCode-MSIL.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2026-03-31 07:45:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zwtklzwpvvhvrzuvho4tmw3aiseargogydqhtmngrjhrsorpdila._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
316fee57d6004b1838576bb178215c99b56a0bd37a012e8650cd2898041f6785
Formbook
47053b752966dd81947bb51b6a798f2d9844723bcd7fa2f02cd81ede6f38d5eb
Formbook
5a721e420c6fc129a198af6fd7458202c574cff68e0b60b4372a8af5767bd2d9
Formbook
61faeb3857dc422b26292ff17b24a2ed3cb18415f8c0a6f64a707c51a0a9c147
Formbook
ac5d5a1c08b75129823ff12311b40cab133ad654b70fb44a77c8c4c6453f3972
Formbook
c516363e147f458e1806ace3348ded638bfdeef92c663a2478940e45b95cb911
Formbook
efd00cb99be98e761546c2c362cd5d01502fb036dbeb64679fb7d41e8d1da1dd
Formbook
error
Formbook
+ 2'664 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery rat spyware stealer trojan
Link:
https://tria.ge/reports/260401-n3khlscs2q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Formbook
Formbook family
Formbook payload
Unpacked files
SH256 hash:
cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16
MD5 hash:
263bef23652302d7bfff37ed315f00cb
SHA1 hash:
f878c2d6c10f14662f074a4fe7d3504f2da3636b
Link:
https://www.unpac.me/results/bdac6a9d-e9f4-4b9a-821a-64c73054ab7f/
SH256 hash:
cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16
MD5 hash:
263bef23652302d7bfff37ed315f00cb
SHA1 hash:
f878c2d6c10f14662f074a4fe7d3504f2da3636b
Link:
https://www.unpac.me/results/bdac6a9d-e9f4-4b9a-821a-64c73054ab7f/
SH256 hash:
13e76faa419c0bec2b2256d90290ae82f8361285f8d892cec9b1502b30c45921
MD5 hash:
29f769e8130eb055e01a5ae99f44a8f6
SHA1 hash:
4f2ca952c7eb7561d33d5767962eb67e660ed951
Link:
https://www.unpac.me/results/bdac6a9d-e9f4-4b9a-821a-64c73054ab7f/
SH256 hash:
6825add4a9f2dc590ffd4e2c653e5c8c4d574de2a42718453964ae04f7040226
MD5 hash:
b608808e1e7dd3c983d6e37d0e1f33a6
SHA1 hash:
e1ca89ae145d3bd12f6ccf1972dab894fdacd031
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/bdac6a9d-e9f4-4b9a-821a-64c73054ab7f/
SH256 hash:
06bdd639384f86791df60c7499ef32b223206990a77b5c3af28495f713448ec9
MD5 hash:
f53b0638dc8b3ad9a90974af6ee4e5a0
SHA1 hash:
faf16e7534123aca85834dfc96183e90aa7aeac2
Link:
https://www.unpac.me/results/bdac6a9d-e9f4-4b9a-821a-64c73054ab7f/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cda6a5e6cfad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:dgaagas
Create hunting rule
Author:Harshit
Description:Uses certutil.exe to download a file named test.txt
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TH_Win_ETW_Bypass_2025_CYFARE
Create hunting rule
Author:CYFARE
Description:Windows ETW Bypass Detection Rule - 2025
Reference:https://cyfare.net/
Rule name:VECT_Ransomware
Create hunting rule
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe cda6a5e6cfad4f58e6953bb9365b6044880899c6c0e079b1a68a4f193a2f1a16

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/60057/

Comments