MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317
SHA3-384 hash: b6d6a25c53b90e7f4b898a744307d311b519091a74fa6a8ff065c9ba4e4ff017a93670326cfdb38f0f19132f046d69ef
SHA1 hash: f93bd491c45c2c3fd616d99fccb3cd67e48c8da3
MD5 hash: fe75fe95942c4a50a4a1ccb99da3400c
humanhash: carbon-monkey-don-minnesota
File name:bestpeopleswithbestskillforthenewowrking.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:15'768 bytes
First seen:2025-05-19 17:28:22 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 192:/ckSgskSYBXkgt8VukSmHXkS/OHt0FkSAv:kkSgskSQXaVukSm3kSwEkSw
TLSH T1CA6289ABD7BBBC86CC53FB2EB57C2724019C052ED8B9C8951A41700A94E435AE0F06CF
Magika txt
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.10183.4266.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c325ac28c67d666423820
Tags:
shell virus sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/682b6a4ebff72ff46b665902/reports/2e89b86f-2438-479f-89d3-d49bcbe3943f/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1694587
Signature
Detected Cobalt Strike Beacon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Uses threadpools to delay analysis
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1694587 Sample: bestpeopleswithbestskillfor... Startdate: 20/05/2025 Architecture: WINDOWS Score: 96 34 pki-goog.l.google.com 2->34 36 c.pki.goog 2->36 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Powershell decode and execute 2->44 46 Sigma detected: Suspicious MSHTA Child Process 2->46 48 2 other signatures 2->48 10 mshta.exe 1 2->10         started        signatures3 process4 signatures5 50 Suspicious command line found 10->50 52 PowerShell case anomaly found 10->52 54 Uses threadpools to delay analysis 10->54 13 cmd.exe 1 10->13         started        process6 signatures7 56 Detected Cobalt Strike Beacon 13->56 58 Suspicious powershell command line found 13->58 60 PowerShell case anomaly found 13->60 16 powershell.exe 42 13->16         started        21 conhost.exe 13->21         started        process8 dnsIp9 32 107.175.246.32, 49692, 80 AS-COLOCROSSINGUS United States 16->32 28 C:\Users\user\AppData\...\2j1wkx3q.cmdline, Unicode 16->28 dropped 38 Uses threadpools to delay analysis 16->38 40 Loading BitLocker PowerShell Module 16->40 23 csc.exe 3 16->23         started        file10 signatures11 process12 file13 30 C:\Users\user\AppData\Local\...\2j1wkx3q.dll, PE32 23->30 dropped 26 cvtres.exe 1 23->26         started        process14
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317/
Threat name:
Script-WScript.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-05-16 14:25:00 UTC
File Type:
Text (JavaScript)
AV detection:
11 of 38 (28.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oqeznsu7xdo4ie5raxomvpwkks76ospqyi2b2pvo5qmlg4jxgmlq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta 740996ca9fb8ddc413b105dccabeca54bfe749f0c2341d3eaeec18b371373317

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3547335/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3547339/

Comments