MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d
SHA3-384 hash: a1a583491a7425341da3b55b388ae6295612bd3f116c4a315ef4ababacb6abb27808075ab29ea74dadc4f02b39fee6c8
SHA1 hash: f3ea50afb200449b79034a4686788cf81e6b0b14
MD5 hash: 1377f067210dc8173f2985c0397a148a
humanhash: uranus-utah-kentucky-robin
File name:Ειδοποίηση πληρωμής_166 2881.JS
Download: download sample
Signature Formbook
Create hunting rule
File size:17'855'561 bytes
First seen:2025-06-18 08:06:16 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:KqgwHhh2omVi8yQIOOdMydOfeOrv41D2GtFQGTAAYuyZQ:yohh2omVi8yQIOOd74x41
Threatray 199 similar samples on MalwareBazaar
TLSH T1E207791B3DF2A5D9216419E0AF234DF90A36F974DCEFAC8DF684E14C290C271948B96D
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
NL NL
Vendor Threat Intelligence
Gathering data
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1717253
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1717253 Sample: 6 2881.JS.js Startdate: 18/06/2025 Architecture: WINDOWS Score: 100 42 www.factio.xyz 2->42 44 www.wizzair.com 2->44 46 4 other IPs or domains 2->46 66 Yara detected FormBook 2->66 68 Yara detected DBatLoader 2->68 70 JavaScript source code contains functionality to generate code involving a shell, file or stream 2->70 74 5 other signatures 2->74 11 wscript.exe 1 4 2->11         started        signatures3 72 Performs DNS queries to domains with low reputation 42->72 process4 signatures5 78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->78 14 HEO.PIF 8 6 11->14         started        process6 file7 40 C:\Users\Public\Libraries\ekcsynpL.pif, PE32 14->40 dropped 80 Drops PE files with a suspicious file extension 14->80 82 Writes to foreign memory regions 14->82 84 Allocates memory in foreign processes 14->84 86 3 other signatures 14->86 18 ekcsynpL.pif 14->18         started        21 cmd.exe 1 14->21         started        23 cmd.exe 1 14->23         started        signatures8 process9 signatures10 62 Detected unpacking (changes PE section rights) 18->62 64 Maps a DLL or memory area into another process 18->64 25 wk2yagexsETgT.exe 18->25 injected 28 conhost.exe 21->28         started        30 conhost.exe 23->30         started        process11 signatures12 76 Maps a DLL or memory area into another process 25->76 32 MuiUnattend.exe 13 25->32         started        process13 signatures14 54 Tries to steal Mail credentials (via file / registry access) 32->54 56 Tries to harvest and steal browser information (history, passwords, etc) 32->56 58 Modifies the context of a thread in another process (thread injection) 32->58 60 3 other signatures 32->60 35 wwc0PMTER.exe 32->35 injected 38 firefox.exe 32->38         started        process15 dnsIp16 48 www.wizzair.com 18.173.219.62, 49726, 49727, 49728 MIT-GATEWAYSUS United States 35->48 50 www.boldcatchpoint.shop 207.244.126.106, 49734, 49735, 49736 LEASEWEB-USA-WDCUS United States 35->50 52 3 other IPs or domains 35->52
Score:
61%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-06-18 06:56:15 UTC
File Type:
Text (JavaScript)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksqubtcl7arabjbbijxgir4q6ngtq4gdvxfm4hyz2mmw6dnhwaoq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
23e972e1aa33917d1328a79b61da9777c6f19dd4ee8352862a879da4d1ff4032
Formbook
2cd854191967af9ed91f754e88853c195473540a5234a598b8e9dcf69242e48f
Formbook
540ecfddd158625e0e15030a6bb23a5a8e2f5b33c453a1b6e3915ed724983896
Formbook
5db217d0e51f8314d13845973949dd917e6c6dda1fd7b65fe6676dd92525c3fa
Formbook
ba4445c6d1d77f573ea271d1898c51485b0a49980f16a73205c4f0c5cefe89fc
Formbook
be3771d8f3893aecc6e6e907bae7bb4e837fce47b000ce7d4c99e47c330b2d3d
Formbook
c39f34c2541a3b808efabac95b5f7182b38f1f5a49cfc1037d53a89c527ed376
Formbook
dea1bc8fdb17a134d92f4a0197314eb4f1c792dee72f8a7dd7eaf48d0a0a5e9b
Formbook
error
Formbook
+ 189 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250618-j1np2aywcs/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54a140cc4bf82200a421426e644790f34d3870c3adcace1f19d3196f0da7b01d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments