MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b
SHA3-384 hash: f3c8b14182e79c87291fae26e294bf5b93b6dab6bdd71698841366654825dbd339289bed3b7edc65915125941d3210e4
SHA1 hash: 37e487bf072f745af5da1cebda4c7694adc09e32
MD5 hash: 0d7ac33c1867177d96e6cb074f4574f6
humanhash: early-west-whiskey-aspen
File name:nuevo orden pdf.JS
Download: download sample
Signature Formbook
Create hunting rule
File size:5'819'188 bytes
First seen:2025-07-12 09:10:21 UTC
Last seen:2025-07-12 17:37:25 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:mVyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyypXJ+NAiabuo3p+J:Yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyx
Threatray 4'571 similar samples on MalwareBazaar
TLSH T119462EC6E9F19AE0B2582F983934774388DD8297EA1B44F46298D936CE3D519C7CE433
Magika javascript
Reporter smica83
Tags:FormBook js

Intelligence

File Origin
# of uploads :
2
# of downloads :
36
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6872268e900df8e7f86a10a9
Tags:
n/a
Verdict:
Malicious
Labled as:
HEUR_TrojanDropper_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1734630
Signature
Allocates many large memory junks
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Early bird code injection technique detected
Found malware configuration
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734630 Sample: nuevo orden pdf.JS.js Startdate: 12/07/2025 Architecture: WINDOWS Score: 100 51 www.pinsantoto4d.xyz 2->51 53 www.iaozhewaimai.xyz 2->53 55 2 other IPs or domains 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Yara detected FormBook 2->61 65 9 other signatures 2->65 13 wscript.exe 1 6 2->13         started        16 rundll32.exe 3 2->16         started        signatures3 63 Performs DNS queries to domains with low reputation 53->63 process4 signatures5 99 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->99 18 ScriptRunner.exe 3 13->18         started        20 Ngqpllae.PIF 16->20         started        process6 signatures7 23 wall.css.exe 3 18->23         started        26 conhost.exe 18->26         started        69 Early bird code injection technique detected 20->69 71 Allocates memory in foreign processes 20->71 73 Allocates many large memory junks 20->73 28 colorcpl.exe 20->28         started        process8 signatures9 75 Early bird code injection technique detected 23->75 77 Allocates memory in foreign processes 23->77 79 Allocates many large memory junks 23->79 87 2 other signatures 23->87 30 SndVol.exe 23->30         started        33 cmd.exe 1 23->33         started        81 Modifies the context of a thread in another process (thread injection) 28->81 83 Maps a DLL or memory area into another process 28->83 85 Sample uses process hollowing technique 28->85 89 2 other signatures 28->89 process10 signatures11 101 Modifies the context of a thread in another process (thread injection) 30->101 103 Maps a DLL or memory area into another process 30->103 105 Sample uses process hollowing technique 30->105 109 2 other signatures 30->109 35 explorer.exe 33 1 30->35 injected 107 Uses schtasks.exe or at.exe to add and modify task schedules 33->107 38 conhost.exe 33->38         started        40 schtasks.exe 1 33->40         started        process12 signatures13 67 Uses netsh to modify the Windows network and firewall settings 35->67 42 netsh.exe 35->42         started        45 WWAHost.exe 35->45         started        process14 signatures15 91 Modifies the context of a thread in another process (thread injection) 42->91 93 Maps a DLL or memory area into another process 42->93 95 Tries to detect virtualization through RDTSC time measurements 42->95 97 Switches to a custom stack to bypass stack traces 42->97 47 cmd.exe 1 42->47         started        process16 process17 49 conhost.exe 47->49         started       
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-12 00:57:46 UTC
File Type:
Text (JavaScript)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4cydvc6sr5vaevgjbhrv4k76ucaacg4u4jkwpjqemxslufx7gfq._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
formbook
Create hunting rule
Similar samples:
05c2b088b830ff16aba8c56b691439772ed5a5df0d2725b86595d6eb29c9c05d
Formbook
373a59724445fe6a91b6c0d1aff0ec54277faf061a4960d0e7e13fcebedfa709
Formbook
4204a23877b73c504046206747c098398c45104675686cdf81ec11d11be0fa25
Formbook
78877249c3ff4076e13805d17d91c48838e5768001e6b8249c8c62c6496c4c00
Formbook
8b56b1ed9616f633179ff6997d01c9a0dfd1d55330466fe965a69fbedc1d12c0
Formbook
e96a2b993722bee3393df92be9f4ec233673a7057c4fc8d31c5463f28368994b
Formbook
error
Formbook
f9fc2086ee58dfd7efc08c4e5b50db15cdb79986e5203db35cd741fe00cf197e
Formbook
ffa11ee3e862bc4209ae9803fed72fb38b9599e1aba8e39077a1261a71ca8559
Formbook
+ 4'561 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250712-k5aveaam3v/
Behaviour
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Binary Proxy Execution: ScriptRunner
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/870581d45e947b5012a6484f1af15ff5040008dca712ab3d30232f25d0b7f98b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments