MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9
SHA3-384 hash: 652bd901273cc941aef352836b4e956a44e49125e823a63fd5069b2cbe9960b24e8a207cd5419cbab1d980897fd5b8fd
SHA1 hash: c69f30b3bedc704fdb1bd0e9adad615b613e8f1e
MD5 hash: fdd4c7c68b989d21c41c1deca6847ad7
humanhash: single-lemon-purple-yellow
File name:RESOCONTO INSOLUTI al 31102025 - ATTENZIONE IBAN.7z
Download: download sample
Signature Formbook
Create hunting rule
File size:7'712 bytes
First seen:2025-11-04 12:01:22 UTC
Last seen:2025-11-05 03:44:26 UTC
File type: 7z
MIME type:application/x-7z-compressed
ssdeep 192:J2U90AraaIAghce/ps2Ts9JmsZq8yAXjqlYswVbYDq8t:J22traaChZtAneAz7rVbUv
TLSH T184F1B0A05C10FE3EE696BEF1A7165D688A54F9F31F371196650056CABF80182E6C2328
TrID 57.1% (.7Z) 7-Zip compressed archive (v0.4) (8000/1)
42.8% (.7Z) 7-Zip compressed archive (gen) (6000/1)
Magika sevenzip
Reporter Mangusta
Tags:147-124-222-89 7z FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
IT IT
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:RESOCONTO INSOLUTI al 31102025 - ATTENZIONE IBAN.js
File size:23'265 bytes
SHA256 hash: c52a2cf1c3033792b71a3fa7ccb6c94f5b46e6b8e6f3737dc316294418ddde9d
MD5 hash: 9c9eb3987c07ed19b8786cad5f5d93a7
MIME type:text/plain
Signature Formbook
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.GT.JS.Backdoor.17.96B2B0F3.1667.789.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6909eb359942f1282ecbed41
Tags:
ransomware shell spawn
Result
Verdict:
Malicious
File Type:
JS File - Malicious
Link:
https://app.docguard.net/0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9/results/dashboard
Payload URLs
URL
File name
http://147.124.222.89/host/sirrrrdeee.ps1
JS File
Behaviour
BlacklistAPI detected
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
aspnet_compiler base64 evasive evasive lolbin obfuscated obfuscated opendir reconnaissance repaired
Link:
https://www.filescan.io/uploads/6909eb864425b0b1fd13b868/reports/a40e17cf-1fd2-4eb3-bb13-e854dff684b5/overview
Verdict:
Malicious
Labled as:
Trojan.U.FormBook
Link:
https://www.hybrid-analysis.com/sample/0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9
Verdict:
Malicious
File Type:
7z
First seen:
2025-11-04T13:14:00Z UTC
Last seen:
2025-11-05T05:59:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9/results?tab=lookup
Score:
79%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
7z Archive SFX 7z
Link:
https://app.malva.re/file/fdd4c7c68b989d21c41c1deca6847ad7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2025-11-04 12:01:56 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b27cr4qcfvn5qulh4iwi36lzqlo2hkq3mploalsqftfwqda3tsuq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook adware discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251104-qrjhaacr6y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Badlisted process makes network request
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0ebe28f2022d5bd85167e22c8df97982dda3aa1b63d6e02e502ccb680c1b9ca9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/3696928/

Comments