MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96
SHA3-384 hash: b4da018c2b622f06b401cb7821d638db72aaa0eaebf5db1c65171e776cc517595cb9080fa3714b7d570a6b02f5f3d481
SHA1 hash: 206409b187b62bdfef73575f9d86a2e28d436748
MD5 hash: c31c1fdfffd2e34a2459330cc1948aa8
humanhash: spring-florida-fifteen-yankee
File name:Offer to Purchase.js
Download: download sample
Signature Formbook
Create hunting rule
File size:20'262 bytes
First seen:2025-07-01 07:24:03 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 192:4nsKfINMsolJyeL692/2BWAK/Mbh2B6BngWlxj4eOm8VG4zfgAzdnl:ws7NMsolJyeL692eM+bwYNv7qBzfTzj
Threatray 224 similar samples on MalwareBazaar
TLSH T12992EF819609CA265E750161BFA67044F3E7071F1370F8B1F2EE4BD22B6B7D80962B87
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68638d890fceda814b479014
Tags:
obfuscate xtreme shell
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1726152
Signature
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: Suspicious Process Parents
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1726152 Sample: Offer to Purchase.js Startdate: 01/07/2025 Architecture: WINDOWS Score: 100 52 www.heinike.xyz 2->52 54 www.hadiahboston.live 2->54 56 6 other IPs or domains 2->56 70 Suricata IDS alerts for network traffic 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Yara detected FormBook 2->74 78 12 other signatures 2->78 11 wscript.exe 1 1 2->11         started        15 wscript.exe 1 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 76 Performs DNS queries to domains with low reputation 52->76 process4 dnsIp5 66 mycoosin.lovestoblog.com 185.27.134.99, 49700, 49713, 49714 WILDCARD-ASWildcardUKLimitedGB United Kingdom 11->66 92 JScript performs obfuscated calls to suspicious functions 11->92 94 Suspicious powershell command line found 11->94 96 Wscript starts Powershell (via cmd or directly) 11->96 100 3 other signatures 11->100 19 powershell.exe 14 17 11->19         started        98 System process connects to network (likely due to code injection or exploit) 15->98 23 powershell.exe 15->23         started        68 127.0.0.1 unknown unknown 17->68 signatures6 process7 dnsIp8 58 archive.org 207.241.224.2, 443, 49701, 49715 INTERNET-ARCHIVEUS United States 19->58 80 Found Tor onion address 19->80 82 Writes to foreign memory regions 19->82 84 Found suspicious powershell code related to unpacking or dynamic code loading 19->84 25 calc.exe 19->25         started        28 cmd.exe 2 19->28         started        31 conhost.exe 19->31         started        86 Injects a PE file into a foreign processes 23->86 33 conhost.exe 23->33         started        35 calc.exe 23->35         started        37 calc.exe 23->37         started        signatures9 process10 file11 90 Maps a DLL or memory area into another process 25->90 39 ftxzWKb7qzG.exe 25->39 injected 50 C:\Users\Public\Downloads\pulsilogy.js, data 28->50 dropped 43 conhost.exe 28->43         started        signatures12 process13 dnsIp14 60 kickasstshirts.shop 15.197.225.128, 49723, 49724, 49725 TANDEMUS United States 39->60 62 www.hadiahboston.live 104.21.15.120, 49718, 80 CLOUDFLARENETUS United States 39->62 64 2 other IPs or domains 39->64 88 Maps a DLL or memory area into another process 39->88 45 dllhost.exe 13 39->45         started        signatures15 process16 signatures17 102 Tries to steal Mail credentials (via file / registry access) 45->102 104 Tries to harvest and steal browser information (history, passwords, etc) 45->104 106 Modifies the context of a thread in another process (thread injection) 45->106 108 2 other signatures 45->108 48 firefox.exe 45->48         started        process18
Score:
17%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/c31c1fdfffd2e34a2459330cc1948aa8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96/
Threat name:
Script-JS.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-07-01 00:58:56 UTC
File Type:
Text (JavaScript)
AV detection:
4 of 37 (10.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gjhq55ofrsliwe4irq5sp6lqzajocc6sqchekis3vigldn7mpwla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
123ef9f91735fa6c4b35a8c68175db0c9be5a84d2ce21e9cd5c4aceec8b25f23
Formbook
1647ef778a94d0cd84ea714757b85c6f62ba9881a0403af8173227808d4a9aa3
Formbook
256d2affc5317c7fa894b0b419f41bb702710b3d468f89a27637d04ce146c5a0
Formbook
81e751866842193531d97c41db2569fffd954ebf710564897145a3439e95397b
Formbook
a2727b617e87d1c8070d69cf1c5fa58c757ae0e425c26c049dce311e1adb5745
Formbook
a432bcc6e9b898d5bd0d40f24e9c4cbf1b19c2d9de3b1179e5a86216132258d6
Formbook
aa09d38ea66f08ab6306c26b2c3f736450be10e997d0ce8c9c51da056949e6bc
Formbook
b888ae8492bddf1d7d669510ffcfd67a6ccca5b435bcd81b1f5248f224f45c80
Formbook
c6551ffa0a5c84c8a5ab3290ffd0a59ba89972e60616b8f17c92fca19ce21a31
Formbook
e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db
Formbook
error
Formbook
+ 214 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250701-h8m8ss1ygv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/324f0ef5c58c968b13888c3b27f970c812e10bd2808e45225baa0cb1b7ec7d96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments