MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36f0f94a57df272434cffc01c7a8ceb67d4fab892bba5154a1fceaa38026e007. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36f0f94a57df272434cffc01c7a8ceb67d4fab892bba5154a1fceaa38026e007
SHA3-384 hash: a437db848cd04de7973eda985862242485adf405fb635bd4f35b756d5e0317e878c2505bc1a81660e15d15d0179b1c3c
SHA1 hash: 1ba4ba2f127d8c34afec448e805e90e13c12b929
MD5 hash: b9c56d010bd4fdec815b2e6824e298c2
humanhash: zebra-bakerloo-mars-golf
File name:RFQ 536120 -R43500 V55600080.js
Download: download sample
Signature Formbook
Create hunting rule
File size:358'228 bytes
First seen:2025-05-20 11:44:36 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 96:g5s/BpZKBpnpsuBpZFBpMpsLBp9BpBprpsNBpZrBpkfspBp9uBprBpsHBpZKjBpU:MCsvAlyIOXK6lGT
Threatray 80 similar samples on MalwareBazaar
TLSH T19E741B9DADE7049624DFF730A68725BC98276754C90366FBE277BA3310B8E5C20F1066
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
487
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.31898.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c6b5ec28c67d666424ad2
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/682c6b5c1de1514c6874842a/reports/d88bf8cb-7e20-418d-9318-0a6cebf016a7/overview
Verdict:
Malicious
Labled as:
HEUR_TrojanDownloader_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/36f0f94a57df272434cffc01c7a8ceb67d4fab892bba5154a1fceaa38026e007
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1694888
Signature
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found Tor onion address
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694888 Sample: RFQ 536120 -R43500 V55600080.js Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 41 www.gedankenlaut.xyz 2->41 43 www.dekoratifcamfilmi.xyz 2->43 45 10 other IPs or domains 2->45 69 Suricata IDS alerts for network traffic 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 77 15 other signatures 2->77 11 wscript.exe 1 1 2->11         started        15 powershell.exe 16 2->15         started        17 svchost.exe 1 1 2->17         started        signatures3 75 Performs DNS queries to domains with low reputation 43->75 process4 dnsIp5 57 paste.ee 23.186.113.60, 443, 49698, 49699 KLAYER-GLOBALNL Reserved 11->57 87 System process connects to network (likely due to code injection or exploit) 11->87 89 JScript performs obfuscated calls to suspicious functions 11->89 91 Suspicious powershell command line found 11->91 93 3 other signatures 11->93 19 powershell.exe 14 15 11->19         started        23 conhost.exe 15->23         started        59 127.0.0.1 unknown unknown 17->59 signatures6 process7 dnsIp8 47 archive.org 207.241.224.2, 443, 49702 INTERNET-ARCHIVEUS United States 19->47 49 dn721509.ca.archive.org 204.62.247.7, 443, 49703 COGENT-174US United States 19->49 79 Found Tor onion address 19->79 81 Writes to foreign memory regions 19->81 83 Injects a PE file into a foreign processes 19->83 25 MSBuild.exe 19->25         started        28 conhost.exe 19->28         started        signatures9 process10 signatures11 85 Maps a DLL or memory area into another process 25->85 30 Y82Sm9j4.exe 25->30 injected process12 signatures13 95 Maps a DLL or memory area into another process 30->95 33 print.exe 13 30->33         started        process14 signatures15 61 Tries to steal Mail credentials (via file / registry access) 33->61 63 Tries to harvest and steal browser information (history, passwords, etc) 33->63 65 Modifies the context of a thread in another process (thread injection) 33->65 67 3 other signatures 33->67 36 QQONSG5dqBi.exe 33->36 injected 39 firefox.exe 33->39         started        process16 dnsIp17 51 www.gedankenlaut.xyz 89.31.143.90, 49716, 49717, 49718 QSC-AG-IPXDE Germany 36->51 53 www.dekoratifcamfilmi.xyz 13.248.169.48, 49724, 49725, 49726 AMAZON-02US United States 36->53 55 4 other IPs or domains 36->55
Score:
57%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/36f0f94a57df272434cffc01c7a8ceb67d4fab892bba5154a1fceaa38026e007
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36f0f94a57df272434cffc01c7a8ceb67d4fab892bba5154a1fceaa38026e007/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-19 18:58:17 UTC
File Type:
Text (JavaScript)
AV detection:
4 of 35 (11.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g3ypsssx34tsingp7qa4pkgowz6u7k4jfo5fcvfb7tvkhabg4adq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
22974a6d7748c8401d76df5d299e5db3f0ee4a8dfefc4444e85a7726dfc094b1
Formbook
7781549276d047ac3720ccdf20caf564e932a69b3910da10f400949c0a51a36f
Formbook
8160be5c40028ff2f6cfd92cf379a94fe627fea67c7790ee4f35084a27d1ed55
Formbook
8198ace97c6f91caec9cfcad79c2c290d826b5380cca1f70f6c32b2a36d6b86e
Formbook
89f12db466f60f1cf1c53d5ac9a46ca374a29566d3e1e8d1e8f5f892f6df6c4e
Formbook
a2c86572d47ba0a2fe4dc812a1ea063784f59b2cc3563f0ca8e7f3d570df6aba
Formbook
abd1741192aa6e0d4291a33562e399c1dc503f9f9aec919d8e38ad07732a0954
Formbook
b2564c31effd83cb6893a5cf3e100a6fc7ca8f19e8671bceeae2b1604fc93c84
Formbook
c608c50993635a38c549100e604aaa86e7b4ac607afffb1f583e6ae5360bf6a9
Formbook
error
Formbook
+ 70 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250520-nwx55aym13/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36f0f94a57df272434cffc01c7a8ceb67d4fab892bba5154a1fceaa38026e007

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments