MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb
SHA3-384 hash: ebf6311033f7a853d385f4f84ad4fc844bafa0839325d571203c5f2938fd8408519d42941307ed269871136f7e2d8bb1
SHA1 hash: cac9af77c4f7518e66d7e9a4716e3a55852574ff
MD5 hash: cfec390f3eac2cf6020d967ebf1920c3
humanhash: dakota-undress-oxygen-lima
File name:New Inquiry PDF.js
Download: download sample
Signature Formbook
Create hunting rule
File size:7'668 bytes
First seen:2025-08-06 20:43:28 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:IG5YZzSSVGVNsVBOvK3qs93shbWJvDjKBXPYwFVSfO:IJZzbVGVNsVcvWqQ3shbWJLeBXDFVz
Threatray 23 similar samples on MalwareBazaar
TLSH T171F199C98EB315E5996FE458C91E93DF768C48428080BC31BB2F7695ABD043972FC2D6
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.88327644.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893beb611d7f9b979e639cc
Tags:
remcos xtreme shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cscript lolbin obfuscated
Link:
https://www.filescan.io/uploads/6893be879ef4d2ff7ceef215/reports/a74ea548-6795-4317-bdb1-fcc1c13b8d44/overview
Verdict:
Malicious
Labled as:
Trojan.GenericS
Link:
https://www.hybrid-analysis.com/sample/8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
evad.troj.expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750281
Signature
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750281 Sample: New Inquiry PDF.js Startdate: 05/08/2025 Architecture: WINDOWS Score: 100 37 dbestgroupz.fwh.is 2->37 39 ia803206.us.archive.org 2->39 41 6 other IPs or domains 2->41 53 Suricata IDS alerts for network traffic 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 11 other signatures 2->59 10 wscript.exe 1 1 2->10         started        signatures3 process4 signatures5 61 JScript performs obfuscated calls to suspicious functions 10->61 63 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->63 65 Suspicious execution chain found 10->65 13 cscript.exe 1 2 10->13         started        process6 dnsIp7 43 dbestgroupz.fwh.is 185.27.134.131, 49691, 49697, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 13->43 67 JScript performs obfuscated calls to suspicious functions 13->67 69 Suspicious powershell command line found 13->69 71 Bypasses PowerShell execution policy 13->71 17 powershell.exe 15 17 13->17         started        21 conhost.exe 13->21         started        signatures8 process9 dnsIp10 33 archive.org 207.241.224.2, 443, 49692 INTERNET-ARCHIVEUS United States 17->33 35 ia803206.us.archive.org 207.241.234.126, 443, 49693 INTERNET-ARCHIVEUS United States 17->35 45 Found Tor onion address 17->45 47 Creates autostart registry keys with suspicious values (likely registry only malware) 17->47 49 Writes to foreign memory regions 17->49 51 2 other signatures 17->51 23 cmd.exe 1 17->23         started        25 conhost.exe 17->25         started        27 MSBuild.exe 17->27         started        29 2 other processes 17->29 signatures11 process12 process13 31 conhost.exe 23->31         started       
Score:
4%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb/
Verdict:
Malicious
Threat:
HEUR:Trojan.Script.SAgent
Link:
https://tip.neiki.dev/file/8343e66198955a3fad718a52fc9ce96bba5cb2862ef76fce04591a047943cbcb
Threat name:
Script-JS.Downloader.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 01:23:35 UTC
File Type:
Binary
AV detection:
9 of 24 (37.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qnb6mymysvnd7llrrjjpzhhjno5fzmugf33w7tqelenai6kdzpfq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
049812e47d5334275a82320a30608d9a8e3fb192c340980f67e31375c96eae70
Formbook
0c60a7a985dc3e5dae7aedcccdd5370fc106959e12c59a1744744260a9cdb833
Formbook
11ea3046a5ea0ca54c9efee2b7a7f9da06d2a5bed1bb41447673d4ae0374c2d3
Formbook
267d2243fe320cdb65604a5d385dc0b1405596e8874fe4262f687d9f413ebf4c
Formbook
65c11f3f48285943334d96b4a9d8292b517020f40dcc3989648accdb7dfadc60
Formbook
a8d6f66d16d98baefb54cba98117106ad64788310db9112d1980b4ec302b5310
Formbook
b27ff5ca901be9f35f0a72a72ec97be60097a6b65829403583e98e7ccc4827b1
Formbook
dcc5e50b7931f67538ba5a423ec6366db60c0ef297f7d93fd5bbeeb0542cc87c
Formbook
df6eac509b37b2dfe3ced246b01167bf4c9d82a3ba0d20b3f3da90072dbd0d99
Formbook
error
Formbook
fd43d26f1db150f1ce6faa221521e0ac9d32ffc26fc835bdc564ce6d93a5ee84
Formbook
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250806-zhzycaxj18/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://archive.org/download/msi_20250801/MSI.png
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8343e6619895/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments