MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835
SHA3-384 hash: 8da6e070f754760f9f8f6be734f3226eb367c0fadd665c0312b80f54c7fcce5e872f0e50e2c8451d97b4f3cd590a02bf
SHA1 hash: 83b84d7837c1aa991f50fb81429064eca9f84af8
MD5 hash: 2d104c8499a3ab875902770edcbbc899
humanhash: violet-march-island-pennsylvania
File name:givemebestthingsforgivemebest.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:13'924 bytes
First seen:2025-03-26 14:57:39 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:r9Ys8weTYsKweB3rA2amRoZgKxp4PHjeVYsYYsPxweaYsv+:ZCTYB3rA2amRFKESVC1Hac
TLSH T1F25272286C603EA1C795D6211CDCCDC5068C574E50A02426F88DA6B7B319B7CE4EDBEB
Magika html
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Starter.408.7437.14415.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e4161212b5dc44da3e3c23
Tags:
autoit emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835/results/dashboard
Payload URLs
URL
File name
http://172.245.123.32/70/smss.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67e4160e631830704a87efe6/reports/f7e1b73b-6c28-403f-b9db-1ae232225509/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.F81A2182
Link:
https://www.hybrid-analysis.com/sample/4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1649248
Signature
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Detected Cobalt Strike Beacon
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649248 Sample: givemebestthingsforgivemebest.hta Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 59 www.vczuahand.xyz 2->59 61 www.855696a.xyz 2->61 63 5 other IPs or domains 2->63 81 Suricata IDS alerts for network traffic 2->81 83 Antivirus detection for dropped file 2->83 85 Multi AV Scanner detection for dropped file 2->85 89 9 other signatures 2->89 13 mshta.exe 1 2->13         started        signatures3 87 Performs DNS queries to domains with low reputation 61->87 process4 signatures5 115 Suspicious command line found 13->115 117 PowerShell case anomaly found 13->117 16 cmd.exe 1 13->16         started        process6 signatures7 73 Detected Cobalt Strike Beacon 16->73 75 Suspicious powershell command line found 16->75 77 PowerShell case anomaly found 16->77 19 powershell.exe 43 16->19         started        24 conhost.exe 16->24         started        process8 dnsIp9 65 172.245.123.32, 49716, 80 AS-COLOCROSSINGUS United States 19->65 51 C:\Users\user\AppData\Roaming\smss.exe, PE32 19->51 dropped 53 C:\Users\user\AppData\Local\...\smss[1].exe, PE32 19->53 dropped 55 C:\Users\user\AppData\...\y35p2qjs.cmdline, Unicode 19->55 dropped 91 Drops PE files with benign system names 19->91 93 Loading BitLocker PowerShell Module 19->93 95 Powershell drops PE file 19->95 26 smss.exe 2 19->26         started        29 csc.exe 3 19->29         started        32 backgroundTaskHost.exe 27 24 19->32         started        file10 signatures11 process12 file13 99 Antivirus detection for dropped file 26->99 101 Multi AV Scanner detection for dropped file 26->101 103 Binary is likely a compiled AutoIt script file 26->103 105 3 other signatures 26->105 34 svchost.exe 26->34         started        57 C:\Users\user\AppData\Local\...\y35p2qjs.dll, PE32 29->57 dropped 37 cvtres.exe 1 29->37         started        signatures14 process15 signatures16 79 Maps a DLL or memory area into another process 34->79 39 7HLXbJFcuuGutQgrmx.exe 34->39 injected process17 signatures18 97 Found direct / indirect Syscall (likely to bypass EDR) 39->97 42 AtBroker.exe 13 39->42         started        process19 signatures20 107 Tries to steal Mail credentials (via file / registry access) 42->107 109 Tries to harvest and steal browser information (history, passwords, etc) 42->109 111 Modifies the context of a thread in another process (thread injection) 42->111 113 3 other signatures 42->113 45 7HLXbJFcuuGutQgrmx.exe 42->45 injected 49 firefox.exe 42->49         started        process21 dnsIp22 67 www.soportemx-findmy.click 198.58.118.167, 49732, 49734, 49735 LINODE-APLinodeLLCUS United States 45->67 69 ns195.l4y.cn 45.119.52.125, 49745, 49746, 49747 CLOUDIE-AS-APCloudieLimitedHK China 45->69 71 4 other IPs or domains 45->71 119 Found direct / indirect Syscall (likely to bypass EDR) 45->119 signatures23
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-03-26 12:27:35 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=imydmtwxardhd2r5jd4k2owixmdz5lakpujndzw57s2hsjzyna2q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_036
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation
Link:
https://tria.ge/reports/250326-scab6sypz9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4330364ed704/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta 4330364ed7044671ea3d48f8ad3ac8bb079eac0a7d12d1e6ddfcb47927386835

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3491287/
  
Delivery method
Distributed via web download

Comments