MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab
SHA3-384 hash: 95e5fec03c560781b933f2301c2fe8bff562bf3b79192a754ad571f5eeee0851eb2a3c1b2b4839e6fca3edb69ba95f93
SHA1 hash: f5c63a0ae74b4a1aa1105e41b1622223c44c8ee9
MD5 hash: 6d982efc879b5135b18bc1910ed86dce
humanhash: iowa-april-wyoming-pizza
File name:greatattitudewithgoodfeaturesgive.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:15'760 bytes
First seen:2025-05-16 19:19:49 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 192:/b67w8P67PW8SMakP5xg6iEB6aMgc6+Dw8NF67p3:z677P67pxa4Tg6iC6aMgW7n67F
Threatray 2'189 similar samples on MalwareBazaar
TLSH T1FD6257AAC7BBBD86CD43FB2FB53DA324415D052ED8B9C8941600B00A94E431AF4E49DF
Magika txt
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Starter.96.27252.7105.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682790314a59e5a2ce055182
Tags:
vmdetect autoit emotet
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/68278fffbff72ff46b6557c3/reports/daa75f04-6247-4ad7-92b5-b5c71f7171ac/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.707B92D4
Link:
https://www.hybrid-analysis.com/sample/4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1692396
Signature
Binary is likely a compiled AutoIt script file
Detected Cobalt Strike Beacon
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692396 Sample: greatattitudewithgoodfeatur... Startdate: 16/05/2025 Architecture: WINDOWS Score: 100 62 www.fasadmebelchelny.store 2->62 64 www.powerplants.info 2->64 66 2 other IPs or domains 2->66 84 Suricata IDS alerts for network traffic 2->84 86 Multi AV Scanner detection for dropped file 2->86 88 Multi AV Scanner detection for submitted file 2->88 90 7 other signatures 2->90 14 mshta.exe 1 2->14         started        signatures3 process4 signatures5 116 Suspicious command line found 14->116 118 PowerShell case anomaly found 14->118 17 cmd.exe 1 14->17         started        process6 signatures7 76 Detected Cobalt Strike Beacon 17->76 78 Suspicious powershell command line found 17->78 80 PowerShell case anomaly found 17->80 20 powershell.exe 45 17->20         started        25 conhost.exe 17->25         started        process8 dnsIp9 68 208.89.61.141, 49692, 80 AXCELX-NETUS United States 20->68 54 C:\Users\user\AppData\Local\...\TiWorker.exe, PE32 20->54 dropped 56 C:\Users\user\AppData\...\TiWorker[1].exe, PE32 20->56 dropped 58 C:\Users\user\AppData\...\tq5ejp4y.cmdline, Unicode 20->58 dropped 92 Loading BitLocker PowerShell Module 20->92 94 Powershell drops PE file 20->94 27 TiWorker.exe 2 20->27         started        30 csc.exe 3 20->30         started        file10 signatures11 process12 file13 106 Multi AV Scanner detection for dropped file 27->106 108 Binary is likely a compiled AutoIt script file 27->108 110 Writes to foreign memory regions 27->110 112 2 other signatures 27->112 33 svchost.exe 27->33         started        60 C:\Users\user\AppData\Local\...\tq5ejp4y.dll, PE32 30->60 dropped 36 cvtres.exe 1 30->36         started        signatures14 process15 signatures16 82 Maps a DLL or memory area into another process 33->82 38 CroIpcDHbNxS60Rc8XJ.exe 33->38 injected process17 signatures18 96 Found direct / indirect Syscall (likely to bypass EDR) 38->96 41 tzutil.exe 13 38->41         started        process19 signatures20 98 Tries to steal Mail credentials (via file / registry access) 41->98 100 Tries to harvest and steal browser information (history, passwords, etc) 41->100 102 Modifies the context of a thread in another process (thread injection) 41->102 104 3 other signatures 41->104 44 CroIpcDHbNxS60Rc8XJ.exe 41->44 injected 48 chrome.exe 41->48         started        50 firefox.exe 41->50         started        process21 dnsIp22 70 www.fasadmebelchelny.store 103.224.182.242, 49698, 49699, 49700 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 44->70 72 www.powerplants.info 141.8.194.53, 80 SPRINTHOSTRU Russian Federation 44->72 74 on24.com 162.159.135.42, 49697, 80 CLOUDFLARENETUS United States 44->74 114 Found direct / indirect Syscall (likely to bypass EDR) 44->114 52 WerFault.exe 4 48->52         started        signatures23 process24
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-05-16 10:23:48 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jr7fzg4unct4q5e3aagyhyrnvffceuwulfsrmpukorgz7xspu2vq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
unc_loader_036
Create hunting rule
autoit
Create hunting rule
Similar samples:
1e13884817a81cddd6049d7e06bcb4756aa49836daab26a8315b6ce47320af8a
Formbook
2744da94da0a5d848f9fa9dc01f13b7040d2eb9305954fdfacf97f4aa9016495
Formbook
4b418e5eb7834e7fee32b5acf0b26100b038524c09f1608c8f6e3db582b95e50
Formbook
5d2614ebe7680070e612547a85691905a88def5e660d1a2ec3a3defc8299c1ec
Formbook
8393b72386d26ce3ba3d0b0abc1f28589c099634bad87647808baee320a8269a
Formbook
8ddcd9773b5c9cec6e3d0e4d996038faa74cbe9a971665cf596d8786de25ac01
Formbook
a9309726d315a93cddc4f7c006cca201550a6af5e36beb646e923fc5d3f77c5b
Formbook
bd4efb4cb6eeaede8eb32674a4a3a6df80266af591861ae95ac29042dff6ac84
Formbook
df282352a21d03c33f9a414fa72c7b3678e712786577fdfbff7b6d46ca1657a4
Formbook
error
Formbook
+ 2'179 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250516-x2bnrafn5z/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta 4c7e5c9b9468a7c8749b000d83e22da94a2252d45965163e8a744d9fde4fa6ab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545184/
  
Delivery method
Distributed via web download

Comments