MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1
SHA3-384 hash: 9ecf2f8164e8980169a710a31173af226575b4b6b0ac6a2f5b20f7589e181962b76de057c9c4a5ffaf27294f5b4da120
SHA1 hash: 5a7ac3e67dc85c167180704917995fabfeb22fc0
MD5 hash: c1b0ab5e324a4cc26c27a71052518f4d
humanhash: robin-early-indigo-bakerloo
File name:c1b0ab5e324a4cc26c27a71052518f4d.js
Download: download sample
Signature Formbook
Create hunting rule
File size:61'678 bytes
First seen:2026-03-14 19:00:15 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:ZDKTQvZqXR1ge9xSB2HsbhN/0eNebQ/QipNnnRgSJKLrICfkcxcwdzXA5UbkUtZn:ad9QHmXqMoz/D+U98GIRthI2MVO
Threatray 13 similar samples on MalwareBazaar
TLSH T185530C5D1D2DE30606C97953B8D7A58E4C3ACD9682002FA9127964AFF0BC72BB0165FF
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
150
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.Packed.165.13059.24720.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b5b05d88c80c01586a2696
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint repaired
Link:
https://www.filescan.io/uploads/69b5b0512000fc76c3dd8379/reports/b634f31c-e19d-4e13-a376-5e41e243873a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1
Verdict:
Malicious
File Type:
js
Detections:
Trojan-Downloader.SLoad.TCP.ServerRequest Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1883844
Signature
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1883844 Sample: 8iW7pVXzza.js Startdate: 14/03/2026 Architecture: WINDOWS Score: 100 23 dpaste.com 2->23 25 cnt-logiistics.com 2->25 27 2 other IPs or domains 2->27 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 47 10 other signatures 2->47 8 wscript.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 45 Connects to a pastebin service (likely for C&C) 23->45 process4 dnsIp5 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->53 55 2 other signatures 8->55 14 powershell.exe 14 17 8->14         started        29 127.0.0.1 unknown unknown 11->29 signatures6 process7 dnsIp8 31 cnt-logiistics.com 152.53.177.75, 443, 49683 NCRENUS United States 14->31 33 pastefy.app 172.67.188.196, 443, 49682 CLOUDFLARENETUS United States 14->33 35 webapp-837091.pythonanywhere.com 35.173.69.207, 443, 49681 AMAZON-AESUS United States 14->35 57 Writes to foreign memory regions 14->57 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Suspicious execution chain found 14->61 63 Injects a PE file into a foreign processes 14->63 18 RegAsm.exe 14->18         started        21 conhost.exe 14->21         started        signatures9 process10 signatures11 37 Found direct / indirect Syscall (likely to bypass EDR) 18->37
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.TCP
Link:
https://tip.neiki.dev/file/0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-14 03:58:00 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=br6r5jbajalq67powwomyhnf7alfyssvstjfslqzhqu5bdwfe6qq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
28540d83a30a6745996f1bce50f4b3b4921591b9933d3fa9ef449239247ed62b
Formbook
528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13
Formbook
6d50cd6e46fecc148ac49bafcb7c4d4845c312c33d68c5148082da2945e40bd6
Formbook
770165df1cb9509cd4a8b726d1132c0cbf0161d50ee2649fcd27bab024869a6f
Formbook
996af4d198b0b45434f13f844a5cf9f133c81802814cd79a4be20e0e1c6373a3
Formbook
9d8be1b8c4032e74447e04189d711c80cc41e4df6ffd2b4539fb1195148276e6
Formbook
b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896
Formbook
dc266cd65df56ade7508b58528c42fde8f42f203c03fa28eecdcd4893a2f4448
Formbook
e6e25f32a6c1307f55d18e48d5d53f3f8c4bbce049480339bc1530b414b195de
Formbook
error
Formbook
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260314-xnwrrsd15p/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0c7d1ea42048170f7deeb59ccc1da5f8165c4a5594d2592e193c29d08ec527a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments