MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2
SHA3-384 hash: eb325cc97243e085d322c3cc617e9ca2ab5f3260a112a2314afaa69e1db299237c2ca3fd58c426927ec0c4b775e3d14a
SHA1 hash: 9c77df96a6616e8441f97caf4aa46267848e2327
MD5 hash: b31abfd160db675e2ae51cb29eaf5752
humanhash: jupiter-pip-harry-mockingbird
File name:cl600q.ps1
Download: download sample
Signature Formbook
Create hunting rule
File size:390'488 bytes
First seen:2025-05-07 10:06:23 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:T25xSrLABrnesuNfl2c/iuYUkImPSVU9QfRyxCvbt3LpxIOZg0MKIztAnq:6TgL8LerlFCUNVzfgCvbHxIh0hIzJ
TLSH T1168423742FADAF068D70442820BE0F4E1FA10EB7B09194B7A55570C6510BB2FA5F9AB7
Magika unknown
Reporter JAMESWT_WT
Tags:ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681b311d6c95617a27b5b96a
Tags:
trojan
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated obfuscated
Link:
https://www.filescan.io/uploads/681b30d6bab2591d06548561/reports/e2930e82-d229-419b-904f-71e8c85db1cf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1683116
Signature
AI detected malicious Powershell script
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1683116 Sample: cl600q.ps1 Startdate: 07/05/2025 Architecture: WINDOWS Score: 52 19 AI detected malicious Powershell script 2->19 21 Joe Sandbox ML detected suspicious sample 2->21 6 powershell.exe 26 2->6         started        9 svchost.exe 1 1 2->9         started        process3 dnsIp4 23 Loading BitLocker PowerShell Module 6->23 13 conhost.exe 6->13         started        17 127.0.0.1 unknown unknown 9->17 15 C:\ProgramData\Microsoft15etwork\...\qmgr.jfm, COM 9->15 dropped file5 signatures6 process7
Score:
14%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-07 10:05:46 UTC
File Type:
Text (HTML)
AV detection:
4 of 37 (10.81%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6fuz4f3hc7excosmi2esl75hhwtk4yptvhriogfrxytogobatba._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
execution
Link:
https://tria.ge/reports/250507-l5rzcsgq7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Reversed_Base64_Encoded_EXE_RID3291
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

PowerShell (PS) ps1 2f8b4cf0bb38be4b89d26234492ffd39ed35730f9d4f1438c58df13719c104c2

(this sample)

Formbook

Executable exe 79b2aa955e207086a9216727eb62d86173d52a3150b1c7a3ba6daa0a529c543f

  
URLhaus
https://urlhaus.abuse.ch/url/3537709/
  
Delivery method
Distributed via web download
  
Dropping
SHA256 79b2aa955e207086a9216727eb62d86173d52a3150b1c7a3ba6daa0a529c543f
  
Dropping
MD5 df56d67995ff1b6087e491fbbaefdbb3

Comments