MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 16

Intelligence 16 IOCs YARA 10 File information Comments

SHA256 hash:	cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125
SHA3-384 hash:	56611f8c48443360fa4101d02bd8753e82b321961c67f3a831d0bea303b083b058dda7b8fbbb4c00c49422062898674a
SHA1 hash:	48e4de2e3c78960c87a69514b9fb1c5a8afdc388
MD5 hash:	9c385e94f5e705d56612f69873ff0566
humanhash:	berlin-victor-william-football
File name:	PO-071924677.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	793'088 bytes
First seen:	2025-10-21 12:00:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:m8f7bTDXeF4dOyvAFTlM3E9N8SZP0z51Jexk/rl:lf7OcvR3S9P0zLJea
Threatray	2'112 similar samples on MalwareBazaar
TLSH	T162F40155376AEF22E9A22BF019A1D37113B49E0EB810D3074FEA7CCB746AF052959743
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	Anonymous
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

175

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO-071924677.exe

Verdict:

No threats detected

Analysis date:

2025-10-21 12:01:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/93b6db98-d405-4e7e-933d-d8ed6328565d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/33629/

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68f77609ad6ce0f5ad404d1f

Tags:

shell micro spawn

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Creating a process with a hidden window

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 bitmap lolbin lolbin msbuild obfuscated packed packed phishing reconnaissance redcap regsvcs rezer0 roboski schtasks stego tracker vbc vbnet zero

Link:

https://www.filescan.io/uploads/68f775fa2903944f31cea23c/reports/df6b5a32-9f3d-4d63-a9e4-11790f4a802c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-21T04:20:00Z UTC

Last seen:

2025-10-23T10:05:00Z UTC

Hits:

~100

Detections:

Trojan.MSIL.Crypt.sb VHO:Trojan-PSW.Win32.Convagent.gen PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.Remcos.gen Trojan-Spy.Win32.Noon.sb Trojan.MSIL.Taskun.sb Trojan.MSIL.Inject.sb

Link:

https://opentip.kaspersky.com/cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125/results?tab=lookup

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/91512de8-04d6-43f7-8b2f-28e0b831068c

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

.Net Executable Managed .NET PDB Path PE (Portable Executable) PE File Layout SOS: 0.47 Win 32 Exe x86

Link:

https://app.malva.re/file/9c385e94f5e705d56612f69873ff0566

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125

Threat name:

Win32.Trojan.Kepavll

Status:

Malicious

First seen:

2025-10-21 07:48:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3r23abzhvxx6ylti4l4xuka6wckiz5cr4424cgapyk4icz3gesq._file

Verdict:

malicious

Label(s):

unc_loader_037

formbook

Formbook

8277de2a08c7a135350fa8498699a86bfd28ebf31402908dc523b2eef07084fd

Formbook

9471113f122f0c1a515558bbf07c246c508ef897450ab9edc8bcda3ee7d8cd54

Formbook

c8d422b9b30d4c547f93d1c54986207c53f305ce91f74b03409db39237b25363

Formbook

cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125

Formbook

error

Formbook

f9926b77fd47dffc66e6f22e4ecd4d0f1b1b3e4b768064bb22b64be3094569f6

Formbook

+ 2'102 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/251021-n6t68awpbz/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

SmartAssembly .NET packer

Suspicious use of SetThreadContext

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Unpacked files

SH256 hash:

cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125

MD5 hash:

9c385e94f5e705d56612f69873ff0566

SHA1 hash:

48e4de2e3c78960c87a69514b9fb1c5a8afdc388

Link:

https://www.unpac.me/results/fb177833-2e55-415d-91a2-0c8881c7105c/

SH256 hash:

9f2bdadb8926bf6157c7487e994ec28657f9415fd2fdf97a5ba82ba12e24046a

MD5 hash:

0e1119a6df48b550ad1353d136297ef3

SHA1 hash:

3f89b2297c1e0a29932eb25741a51538e005d565

Link:

https://www.unpac.me/results/fb177833-2e55-415d-91a2-0c8881c7105c/

SH256 hash:

eaa44181361c7c1c33d21e57db5c24e7f9e86675113a87acd2d03451d69847aa

MD5 hash:

b466e9f0cd6bbd3fc7f8953310d162c4

SHA1 hash:

73927a236ccdd39874009a3649a2ce64e00d9bbb

Link:

https://www.unpac.me/results/fb177833-2e55-415d-91a2-0c8881c7105c/

SH256 hash:

9bdf78f44ad0414b8ea026bd614d596f7b364db8fec38f534bb804aa73c77ddd

MD5 hash:

1b27f4ca6d90e3a5f689b58ac3a0b7a2

SHA1 hash:

b2b24aad4b539e01cad0f7a03394841274e3ceba

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/fb177833-2e55-415d-91a2-0c8881c7105c/

SH256 hash:

9cfb12b8f0cad92ff392e6200800089dcd29cdf0f453ab29ebd62ab13c286496

MD5 hash:

c46389c1ee25b4a8f4abce8d967a342b

SHA1 hash:

614f991dd1a5f0730b610536412d53edb03735b5

Link:

https://www.unpac.me/results/fb177833-2e55-415d-91a2-0c8881c7105c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cee3ad80393d6f7f61734717cbd140f584a467a28f39ae08c07e15c40b3b3125

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Formbook Create hunting rule
Author:	kevoreilly
Description:	Formbook Payload

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/33629/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample