MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0
SHA3-384 hash: 2411df3037d021a79771afe7e622233e7e014bf932a9400a752c37ae78100a71343ae51b71c6c8dcee53386c28f1529e
SHA1 hash: 6e7e6d6b6c6b9da4b8f4d444f0f39957cc869c2b
MD5 hash: fedd01104168a82803d5c761c3dd6ea7
humanhash: jig-lima-oregon-carbon
File name:Waybill.js
Download: download sample
Signature Formbook
Create hunting rule
File size:48'547 bytes
First seen:2025-07-01 07:23:51 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:BmCQWLbNl7VB2BIPlSp0YK5UMJSIHLOGXzGDGIxWCXJDjFs1vA8Kd62nwYn+n5YM:rDhHLOGjGDGIxWCXJDjF8vA/d62nYWTa
Threatray 188 similar samples on MalwareBazaar
TLSH T15D2396C9B01FE07647723764163B011EF6FC9C091938A9A8F9DCB4897B2543D91B29BE
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
391
Origin country :
SE SE
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.26863.JsHeur.UNOFFICIAL
Create hunting rule

Js.Dropper.Divergent-7133099-1
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68638d7c0fceda814b478ff9
Tags:
dropper xtreme shell
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726154
Signature
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Javascript file is likely language aware (will only work on specific systems)
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726154 Sample: Waybill.js Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 58 www.trainedtalents.xyz 2->58 60 rampagewargames.net 2->60 62 8 other IPs or domains 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for submitted file 2->82 86 12 other signatures 2->86 12 wscript.exe 1 1 2->12         started        15 wscript.exe 1 2->15         started        signatures3 84 Performs DNS queries to domains with low reputation 58->84 process4 signatures5 100 JScript performs obfuscated calls to suspicious functions 12->100 102 Suspicious powershell command line found 12->102 104 Wscript starts Powershell (via cmd or directly) 12->104 106 3 other signatures 12->106 17 powershell.exe 14 17 12->17         started        21 powershell.exe 15->21         started        process6 dnsIp7 54 nest.kesug.com 185.27.134.100, 49721, 49725, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 17->54 56 archive.org 207.241.224.2, 443, 49713, 49722 INTERNET-ARCHIVEUS United States 17->56 70 Found Tor onion address 17->70 72 Writes to foreign memory regions 17->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 17->74 23 appidtel.exe 17->23         started        26 cmd.exe 2 17->26         started        29 conhost.exe 17->29         started        76 Injects a PE file into a foreign processes 21->76 31 conhost.exe 21->31         started        33 appidtel.exe 21->33         started        signatures8 process9 file10 90 Maps a DLL or memory area into another process 23->90 35 b11cmq4fjYMqks.exe 23->35 injected 52 C:\Users\Public\Downloads\fatlings.js, data 26->52 dropped 38 conhost.exe 26->38         started        signatures11 process12 signatures13 88 Maps a DLL or memory area into another process 35->88 40 SndVol.exe 13 35->40         started        process14 signatures15 92 Tries to steal Mail credentials (via file / registry access) 40->92 94 Tries to harvest and steal browser information (history, passwords, etc) 40->94 96 Modifies the context of a thread in another process (thread injection) 40->96 98 3 other signatures 40->98 43 ffFRdGNEz5ISM.exe 40->43 injected 46 chrome.exe 40->46         started        48 firefox.exe 40->48         started        process16 dnsIp17 64 rampagewargames.net 3.33.130.190, 49726, 49727, 49728 AMAZONEXPANSIONGB United States 43->64 66 e179336.a.akamaiedge.net 23.33.42.149, 49724, 80 AKAMAI-ASN1EU United States 43->66 68 natroredirect.natrocdn.com 85.159.66.93, 49730, 49731, 49732 CIZGITR Turkey 43->68 50 WerFault.exe 4 46->50         started        process18
Score:
1%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0/
Threat name:
Script-JS.Trojan.DarkCloud
Create hunting rule
Status:
Malicious
First seen:
2025-07-01 05:29:33 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=evwsv76fgf6h7keuwc2bt5a3w4bhccz5i2hytitwg7iezykgywqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
11ea3046a5ea0ca54c9efee2b7a7f9da06d2a5bed1bb41447673d4ae0374c2d3
Formbook
123ef9f91735fa6c4b35a8c68175db0c9be5a84d2ce21e9cd5c4aceec8b25f23
Formbook
324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96
Formbook
5331d1eadb8b8727b21f368f5c8edb92b368d88e70c4d76e33f46fe6b55ee0d7
Formbook
81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b
Formbook
a2727b617e87d1c8070d69cf1c5fa58c757ae0e425c26c049dce311e1adb5745
Formbook
a432bcc6e9b898d5bd0d40f24e9c4cbf1b19c2d9de3b1179e5a86216132258d6
Formbook
aa09d38ea66f08ab6306c26b2c3f736450be10e997d0ce8c9c51da056949e6bc
Formbook
b888ae8492bddf1d7d669510ffcfd67a6ccca5b435bcd81b1f5248f224f45c80
Formbook
c6551ffa0a5c84c8a5ab3290ffd0a59ba89972e60616b8f17c92fca19ce21a31
Formbook
error
Formbook
+ 178 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250701-h8mx2a1yf1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:OBFUS_PowerShell_Common_Replace
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the common usage of replace for obfuscation

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments