MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db
SHA3-384 hash: 6a5ed041b9725b564362d05fffd564f25f220e49e0a222d5de4bc5f45ecff2301f9d5e8f4da9e30f0a34612c913de1e7
SHA1 hash: f671ed9ecfd9a813b52da88e530d7fc1c8d27cda
MD5 hash: ce3c33ee170c1de5e027ceef2c184214
humanhash: sad-sink-winter-ten
File name:nextbestkissingbestthingsformebetterwaygood.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:37'699 bytes
First seen:2025-05-16 19:19:51 UTC
Last seen:2025-05-17 06:34:01 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:/gP4sVAGlEHB4sVcJ3RlEHbDvidfJaYWImHpW4sVRw4sV3/dlEHdwP4sVF:/gh2nPUUbDviLfnGp6QN/odwhP
TLSH T1F003F1E6C7BABD86CD53BB2EF23C6325415D052EC8B5C884F641700A99E4749E1E4ECE
Magika txt
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Starter.96.30315.18764.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682790a5e16384d6a7051210
Tags:
autoit emotet
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db/results/dashboard
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6827900015ed82cd53d7b7ea/reports/c5ebc1dc-ead0-4127-9645-af9d8bbcf456/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.1CBB5113
Link:
https://www.hybrid-analysis.com/sample/6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1692395
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected Cobalt Strike Beacon
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1692395 Sample: nextbestkissingbestthingsfo... Startdate: 16/05/2025 Architecture: WINDOWS Score: 100 68 www.okoty19.vip 2->68 70 www.580051.pro 2->70 72 444aec99.okoty19.vip.cname.scname.com 2->72 78 Suricata IDS alerts for network traffic 2->78 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 8 other signatures 2->84 13 mshta.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 100 Suspicious command line found 13->100 102 PowerShell case anomaly found 13->102 19 cmd.exe 1 13->19         started        62 127.0.0.1 unknown unknown 16->62 signatures6 process7 signatures8 86 Detected Cobalt Strike Beacon 19->86 88 Suspicious powershell command line found 19->88 90 PowerShell case anomaly found 19->90 22 powershell.exe 44 19->22         started        27 conhost.exe 19->27         started        process9 dnsIp10 74 146.103.7.34, 49683, 80 BELNETBE Belgium 22->74 56 C:\Users\user\AppData\Local\...\TiWorker.exe, PE32 22->56 dropped 58 C:\Users\user\AppData\...\TiWorker[1].exe, PE32 22->58 dropped 60 C:\Users\user\AppData\...\maus4jgu.cmdline, Unicode 22->60 dropped 94 Loading BitLocker PowerShell Module 22->94 96 Powershell drops PE file 22->96 29 TiWorker.exe 2 22->29         started        32 csc.exe 3 22->32         started        35 conhost.exe 22->35         started        file11 signatures12 process13 file14 104 Multi AV Scanner detection for dropped file 29->104 106 Binary is likely a compiled AutoIt script file 29->106 108 Writes to foreign memory regions 29->108 110 2 other signatures 29->110 37 svchost.exe 29->37         started        54 C:\Users\user\AppData\Local\...\maus4jgu.dll, PE32 32->54 dropped 40 cvtres.exe 1 32->40         started        signatures15 process16 signatures17 92 Maps a DLL or memory area into another process 37->92 42 eaj1qxwEkXT.exe 37->42 injected process18 signatures19 98 Found direct / indirect Syscall (likely to bypass EDR) 42->98 45 sfc.exe 13 42->45         started        process20 signatures21 112 Tries to steal Mail credentials (via file / registry access) 45->112 114 Tries to harvest and steal browser information (history, passwords, etc) 45->114 116 Maps a DLL or memory area into another process 45->116 118 2 other signatures 45->118 48 eaj1qxwEkXT.exe 45->48 injected 52 firefox.exe 45->52         started        process22 dnsIp23 64 444aec99.okoty19.vip.cname.scname.com 65.181.134.38, 49696, 80 PAIR-NETWORKSUS United States 48->64 66 www.580051.pro 38.55.237.221, 80 COGENT-174US United States 48->66 76 Found direct / indirect Syscall (likely to bypass EDR) 48->76 signatures24
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-05-16 10:56:36 UTC
File Type:
Text (JavaScript)
AV detection:
9 of 37 (24.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxpomg6adwyj2eceffeyd5b6xb4emn56uq7btq3erz5vgls6wpnq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250516-x2bnrazps2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta 6ddee61bc01db09d1044294981f43eb8784637bea43e19c3648e7b532e5eb3db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3545185/
  
Delivery method
Distributed via web download

Comments