MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e49d70f9760a923912c03f409100f2d54bd04e05e91ff2a626bae414a08ca6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e49d70f9760a923912c03f409100f2d54bd04e05e91ff2a626bae414a08ca6a
SHA3-384 hash: 578cd085eb3c61085a7037d543fcff1399c4258a86827fb3e266bab6ec96512a91a5096d8fc872c195bd48e70d326be3
SHA1 hash: af613a41e9d46687708575e490e9272c21187359
MD5 hash: 728aa5d3f393632753452283975669d5
humanhash: spring-kilo-blossom-alpha
File name:dokument wysyÅ kowy faktury nr 52-FK-25.js
Download: download sample
Signature Formbook
Create hunting rule
File size:1'682 bytes
First seen:2025-03-20 07:25:11 UTC
Last seen:2025-03-20 08:14:42 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 48:Acw7afBbkkApiFFAXpkr2rrF0FPKt0Jb/mk4:Acw78ZkkApiFFAXpkr2rrF0FPKt0Jb/e
TLSH T1FD31D6790F3EAC7BED40B4EDCB8CE2D3C43CF56D9259084AD98B4491BC457A402CAA1B
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
3
# of downloads :
401
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dbc308115e7b48b48f033e
Tags:
virus spawn
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3e49d70f9760a923912c03f409100f2d54bd04e05e91ff2a626bae414a08ca6a
Result
Verdict:
UNKNOWN
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1643920
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1643920 Sample: dokument wysy#U00c5 kowy fa... Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 44 www.tabyscooterrentals.xyz 2->44 46 paste.ee 2->46 48 9 other IPs or domains 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 72 8 other signatures 2->72 11 wscript.exe 1 14 2->11         started        15 svchost.exe 1 1 2->15         started        17 wscript.exe 2->17         started        signatures3 68 Performs DNS queries to domains with low reputation 44->68 70 Connects to a pastebin service (likely for C&C) 46->70 process4 dnsIp5 58 paste.ee 23.186.113.60, 443, 49681 KLAYER-GLOBALNL Reserved 11->58 90 System process connects to network (likely due to code injection or exploit) 11->90 92 JScript performs obfuscated calls to suspicious functions 11->92 94 Suspicious powershell command line found 11->94 96 3 other signatures 11->96 19 powershell.exe 14 16 11->19         started        60 127.0.0.1 unknown unknown 15->60 signatures6 process7 dnsIp8 50 magnapratama.com 103.251.44.195, 443, 49688 IDNIC-JALANET-AS-IDPTJupiterJalaArtaID Indonesia 19->50 52 ia600204.us.archive.org 207.241.227.224, 443, 49687 INTERNET-ARCHIVEUS United States 19->52 82 Writes to foreign memory regions 19->82 84 Injects a PE file into a foreign processes 19->84 23 MSBuild.exe 19->23         started        26 cmd.exe 1 19->26         started        28 conhost.exe 19->28         started        signatures9 process10 signatures11 86 Maps a DLL or memory area into another process 23->86 30 WO08kUvhc5ef5063cM6oq.exe 23->30 injected 33 conhost.exe 26->33         started        process12 signatures13 98 Maps a DLL or memory area into another process 30->98 100 Found direct / indirect Syscall (likely to bypass EDR) 30->100 35 SndVol.exe 13 30->35         started        process14 signatures15 74 Tries to steal Mail credentials (via file / registry access) 35->74 76 Tries to harvest and steal browser information (history, passwords, etc) 35->76 78 Modifies the context of a thread in another process (thread injection) 35->78 80 3 other signatures 35->80 38 WO08kUvhc5ef5063cM6oq.exe 35->38 injected 42 firefox.exe 35->42         started        process16 dnsIp17 54 billing04.cdn.sudunddos.com 45.202.215.236, 49695, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 38->54 56 natroredirect.natrocdn.com 85.159.66.93, 49696, 49697, 49698 CIZGITR Turkey 38->56 88 Found direct / indirect Syscall (likely to bypass EDR) 38->88 signatures18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e49d70f9760a923912c03f409100f2d54bd04e05e91ff2a626bae414a08ca6a/
Threat name:
Script-JS.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-03-19 09:11:46 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hze5od4xmcushejmap2aseapfvkl2bhal2i76ktcnoxecsqizjva._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250320-h87mfa1ky9/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments