MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e
SHA3-384 hash: 101e3278aa5b9cc8161a645f2fe5b79c72e9c99184a04a8a5f93d0c9c3b9d9b3f0c77a2507c11742e6c163c24b1f3678
SHA1 hash: 3063153a274fe91f0a10e6c13d5d92dae2930fae
MD5 hash: ccdb198acfc88d4d5df9659d44b49397
humanhash: lemon-delaware-paris-speaker
File name:Request-for-Quotation.js
Download: download sample
Signature Formbook
Create hunting rule
File size:1'204'358 bytes
First seen:2026-03-18 09:47:09 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:iQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQw:wPHS
Threatray 2'686 similar samples on MalwareBazaar
TLSH T10145D893361730D84CAA17E78AB1FF21ED475207BB973A6B97D834EB82BD5D94243024
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b8a36393b644ca466ac889
Tags:
obfuscate xtreme virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated obfuscated overlay packed powershell repaired
Link:
https://www.filescan.io/uploads/69ba74a52000fc76c3e8e4ba/reports/2cd08adb-0ccf-40c4-80a9-6e24895e1bbc/overview
Verdict:
Malicious
Labled as:
JS/Agent.DGD9
Link:
https://www.hybrid-analysis.com/sample/072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e
Result
Gathering data
Verdict:
Malicious
File Type:
js
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.Script.SAgent.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1885484
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1885484 Sample: Request-for-Quotation.js Startdate: 18/03/2026 Architecture: WINDOWS Score: 100 39 www.wiznap.com 2->39 41 www.sgu-consulting.com 2->41 43 18 other IPs or domains 2->43 61 Suricata IDS alerts for network traffic 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for URL or domain 2->65 67 8 other signatures 2->67 12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 83 Suspicious powershell command line found 12->83 85 Wscript starts Powershell (via cmd or directly) 12->85 87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->87 89 2 other signatures 12->89 15 powershell.exe 14 15 12->15         started        process6 dnsIp7 51 resc.cloudinary.com.cdn.cloudflare.net 104.16.79.6, 443, 49720 CLOUDFLARENETUS United States 15->51 53 pub-8dfc53689d2141dd8655689c85a38c6c.r2.dev 104.18.54.45, 443, 49724 CLOUDFLARENETUS United States 15->53 55 Writes to foreign memory regions 15->55 57 Injects a PE file into a foreign processes 15->57 59 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->59 19 MSBuild.exe 15->19         started        22 conhost.exe 15->22         started        signatures8 process9 signatures10 69 Maps a DLL or memory area into another process 19->69 71 Unusual module load detection (module proxying) 19->71 24 G6Kcwr01xv6Mx.exe 19->24 injected process11 signatures12 73 Maps a DLL or memory area into another process 24->73 27 cleanmgr.exe 13 24->27         started        process13 signatures14 75 Tries to steal Mail credentials (via file / registry access) 27->75 77 Tries to harvest and steal browser information (history, passwords, etc) 27->77 79 Modifies the context of a thread in another process (thread injection) 27->79 81 4 other signatures 27->81 30 URygpo2MZ4S.exe 27->30 injected 33 chrome.exe 27->33         started        35 firefox.exe 27->35         started        process15 dnsIp16 45 www.sgu-consulting.com 37.17.227.236, 49726, 80 DE-FIRSTCOLOwwwfirst-colonetDE Germany 30->45 47 www.wiznap.com 104.21.14.142, 49744, 49745, 49746 CLOUDFLARENETUS United States 30->47 49 4 other IPs or domains 30->49 37 WerFault.exe 4 33->37         started        process17
Score:
34%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-03-16 16:34:47 UTC
File Type:
Binary
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a4rzb5onp7gerz7zyyrk3ln3odsy5qjoyn2arf6oez7aowrham7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
451174e99957ee7e6af9375703bab82ee3f618a307b422236102b2f9587344d3
Formbook
570693a6bd10e98ca7c67510f7da41e11ad6d055179c7a9f9bfdd9cf8a39ac78
Formbook
60ca76c8721cac0b8fb9daac721242ae7ae708ca948d096d54c5cc18f31541b1
Formbook
70530aa73b1ecc545d13cfd5cfcfa292b74b0c90bd26c8a2f222ae74787f4ded
Formbook
e628db47468b65acedd1b04c93dfdac58c956fbd15f135fae7b3801525c8713f
Formbook
edf56f77e260852159a6db03a08dddd88ee3775ab09a779b080d9f1ddf925c91
Formbook
error
Formbook
ff76c599e55cf1df34e0ccb7e3c30fa26402c11c3a561b3e33e9d0d3f3483beb
Formbook
+ 2'676 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260318-lsehhafv41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments