MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02
SHA3-384 hash: c9bcd30987f6a13a8e165f393cd4e420f691cf656bbcf90ada5a37c327b8c61b6a639dd734f4fb12be2dca53861e9194
SHA1 hash: f794061e5c1a3760a44cbe9e801bc74ca01669c9
MD5 hash: c47a8fa8200b2f52baf3d7bb8c3e7151
humanhash: butter-saturn-berlin-double
File name:greatthignswithnewworkingskillwithmegreatwithe.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:211'490 bytes
First seen:2024-11-04 15:36:10 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:43F97/OSumZASumAvrTVU3gCVeWdCeSumLfQ:43F1/vZlA/sdGbQ
TLSH T1C8247E96DA34499CB7EC2DABBEFC779D3838034F5AC61E51A71B7442CCA579C908081D
Magika javascript
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6728ea2249e92a05dde2d6d3
Tags:
powershell gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02/results/dashboard
Payload URLs
URL
File name
http://185.117.91.26/34/keepingthebestthignswitheverydayformegivemebest.tIF
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6728ea2671d9bf499cf92c61/reports/8d0f9191-5b3c-4745-b404-c1d92d67af84/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Result
Threat name:
Cobalt Strike, HTMLPhisher
Create hunting rule
Detection:
malicious
Classification:
phis.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548594
Signature
AI detected suspicious sample
Detected Cobalt Strike Beacon
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1548594 Sample: greatthignswithnewworkingsk... Startdate: 04/11/2024 Architecture: WINDOWS Score: 100 34 Suricata IDS alerts for network traffic 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected HtmlPhish44 2->38 40 5 other signatures 2->40 8 mshta.exe 1 2->8         started        process3 signatures4 42 Detected Cobalt Strike Beacon 8->42 44 Suspicious powershell command line found 8->44 46 PowerShell case anomaly found 8->46 11 powershell.exe 34 8->11         started        process5 dnsIp6 30 185.117.91.26, 49706, 80 HZ-NL-ASGB Netherlands 11->30 28 C:\Users\user\AppData\...\bldurhzt.cmdline, Unicode 11->28 dropped 48 Detected Cobalt Strike Beacon 11->48 16 powershell.exe 21 11->16         started        19 csc.exe 3 11->19         started        22 conhost.exe 11->22         started        file7 signatures8 process9 file10 32 Loading BitLocker PowerShell Module 16->32 26 C:\Users\user\AppData\Local\...\bldurhzt.dll, PE32 19->26 dropped 24 cvtres.exe 1 19->24         started        signatures11 process12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2024-11-04 09:38:21 UTC
File Type:
Text
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d56wk352uepxdhfb7gsrreyff4ke4ul7tmdl6qstsoxby7ot5mba._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/241104-s2f61ssfpl/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Blocklisted process makes network request
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta 1f7d656fbaa11f719ca1f9a51893052f144e517f9b06bf425393ae1c7dd3eb02

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3275644/
  
Delivery method
Distributed via web download

Comments