MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b3025a4af4d2253bc4baa82061582f44f9608a31e97a3bfd73e4349eb040f44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	1b3025a4af4d2253bc4baa82061582f44f9608a31e97a3bfd73e4349eb040f44
SHA3-384 hash:	f63afdce27dc35afb024bbf8e641ea4b5e2ae7c24cecba1aac5f6e1a6efd0734d23d0d090a8b7ab3990bb3d76c769441
SHA1 hash:	e6d1fbd6bb37fae7994d81f2c86f3aba59670512
MD5 hash:	0a239431d5c3ecf94caa81748d69099f
humanhash:	echo-robert-uniform-five
File name:	Bank Details.js
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'009'949 bytes
First seen:	2025-05-22 06:05:05 UTC
Last seen:	2025-05-22 06:11:44 UTC
File type:	js
MIME type:	text/plain
ssdeep	24576:NMR8+I0NazF5tn/0pkPPMrzQKZfRm3jioU4Lzy:N91ZKO1W
Threatray	19 similar samples on MalwareBazaar
TLSH	T11D25F0B19191B9B04F8D0605249E3FB76DFC2DCF41A8BA24251C28D8F0897FA7C1E9E5
Magika	javascript
Reporter	abuse_ch
Tags:	FormBook js

Intelligence

File Origin

# of uploads :

# of downloads :

417

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Generic-EXE.UNOFFICIAL

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL

Sanesecurity.Malware.26270.JsHeur.UNOFFICIAL

Sanesecurity.Malware.25779.JsHeur.UNOFFICIAL

Sanesecurity.Malware.26271.JsHeur.UNOFFICIAL

Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL

Js.Downloader.Agent-9914219-0

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=682ebf36c28c67d6664451ac

Tags:

dropper virus spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 dropper evasive obfuscated obfuscated packed

Link:

https://www.filescan.io/uploads/682ebebc171e01f9592a0a91/reports/bbcf1d12-0d33-474c-9b7f-d3815b2eca32/overview

Verdict:

Malicious

Labled as:

GT:JS.Cbum.1.775A25F4;Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/1b3025a4af4d2253bc4baa82061582f44f9608a31e97a3bfd73e4349eb040f44

Result

Threat name:

FormBook, PureLog Stealer

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1696573

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Benign windows process drops PE files

Injects a PE file into a foreign processes

JavaScript file contains Antivirus product strings

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/1b3025a4af4d2253bc4baa82061582f44f9608a31e97a3bfd73e4349eb040f44

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b3025a4af4d2253bc4baa82061582f44f9608a31e97a3bfd73e4349eb040f44/

Threat name:

Script-JS.Dropper.Nemucod

Status:

Malicious

First seen:

2025-05-21 10:41:23 UTC

File Type:

Text

AV detection:

14 of 24 (58.33%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dmycljfpjurfhpclvkbamfmc6rhzmcfdd2l2hp6xhzbut2yeb5ca._file

Result

Malware family:

n/a

Score:

7/10

Tags:

discovery execution

Link:

https://tria.ge/reports/250522-gtj26ahp71/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Malware family:

zgRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1b3025a4af4d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Formbook

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b3025a4af4d2253bc4baa82061582f44f9608a31e97a3bfd73e4349eb040f44

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample