MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99
SHA3-384 hash:	f0c25734fac2b0ac3392dfb17d8ac041903019ab0ec092bd8215bdb24ac3fec8a5f741d15d3b4ac868519f97170b386c
SHA1 hash:	425070bd9d9d1fd7a051b9851bb900de80aeba4b
MD5 hash:	ab30e31d57ac069700af3b76c2a0d3be
humanhash:	sweet-crazy-black-burger
File name:	payment details.js
Download:	download sample
Signature	Formbook Create hunting rule
File size:	240'748 bytes
First seen:	2025-09-01 09:34:52 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	768:ZLvTc5FsIk9FwXTyZuamtjJtTdl4FJkD/htIf:MSNF4rIf
Threatray	219 similar samples on MalwareBazaar
TLSH	T14E34A9666E196045D13B72DFA9B552C8DC23134760C04123FFBFA1226FB2894A2D7E6F
Magika	javascript
Reporter	abuse_ch
Tags:	FormBook js

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Rogue.0hr.20250901-0734.UNOFFICIAL

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68b5692feb163e0ec183f986

Tags:

obfuscate xtreme virus

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm masquerade powershell

Link:

https://www.filescan.io/uploads/68b569a539a6221faa78790c/reports/153d4f02-ca28-4b82-a8a7-4cbb3eb2931e/overview

Verdict:

Suspicious

Labled as:

VBS/Agent.TKB trojan

Link:

https://www.hybrid-analysis.com/sample/664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99

Verdict:

Malicious

File Type:

First seen:

2025-08-31T21:05:00Z UTC

Last seen:

2025-08-31T21:05:00Z UTC

Hits:

~1000

Link:

https://opentip.kaspersky.com/664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1768839

Signature

Creates processes via WMI

Found Tor onion address

Javascript file is likely language aware (will only work on specific systems)

JavaScript source code contains functionality to generate code involving a shell, file or stream

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Score:

72%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99/

Threat name:

Script.Backdoor.Remcos

Status:

Malicious

First seen:

2025-09-01 00:33:42 UTC

File Type:

Text (JavaScript)

AV detection:

10 of 38 (26.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mzbhfuoj2fpror6inudamzdhztofjtqamlq5eamvbjnjkr4pdwmq._file

Verdict:

malicious

Label(s):

formbook

Formbook

37c810d524a8db830dbb9d12d5d918802d3c85619d58810d04fc95232ec393ce

Formbook

6bc677ac4c36cb99e3170edb2b29b8e8b47399a2896f8f0c6fa998b4337bcf35

Formbook

8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80

Formbook

9100b0b6f9841dac7febdc66401cf61fccd63f126fa6769945c5505575f00cd9

Formbook

d58ef7f6352296a5f9052e5bb522a0556037f373b27dd1bf4c53a521f0f7a0a8

Formbook

dccde739186bcc2b12daae93ada247895c811ec080cf06fd4d431d2caecdc196

Formbook

e119c6c5485307075a1e5d0950a77f978f7f17e23c315ed8c38cc1259b8af26f

Formbook

error

Formbook

+ 209 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook execution rat spyware stealer trojan

Link:

https://tria.ge/reports/250901-lmdzsayvhw/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Suspicious use of SetThreadContext

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Formbook payload

Formbook

Formbook family

Process spawned unexpected child process

Malware Config

Dropper Extraction:

https://archive.org/download/optimized_msi_20250821/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/664272d1c9d15f1747c86d06066467ccdc54ce0062e1d201950a5a95478f1d99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample