MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80
SHA3-384 hash: be7334d3b3cd0881d1e026152d27af18e470fe65633bc7de5e74b6aa422c72df2d11e38995405963b4d024f7e816411b
SHA1 hash: 9cc5351de4fcdb180f4f76f93ee0dd18e576e198
MD5 hash: bc7a18333dae4096f1bd200270c6b41d
humanhash: bravo-thirteen-pasta-solar
File name:makebestfeelingwithgreatnessofhappinesskingforutome.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:13'561 bytes
First seen:2025-08-24 15:14:29 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 192:sZEkRAC9BQjIR+v9BSdsU6Knmwi+P77UkKiAguaOI1/cemswcnttQIV4aCaZO/FA:sZXeI+VId6KbGy
Threatray 32 similar samples on MalwareBazaar
TLSH T121524064BE039AB10F75B6B367AA7004F787442B5121EB31B0BDAF454F62664017BACA
Magika html
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Heur.BZC.UGZ.Boxter.261.FD35D0B6.6985.32723.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ab2c60e9d9dbcfd96d9d7f
Tags:
obfuscate xtreme spawn
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80
Verdict:
Malicious
File Type:
hta
First seen:
2025-08-22T15:49:00Z UTC
Last seen:
2025-08-22T15:49:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80/results?tab=lookup
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763973
Signature
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763973 Sample: makebestfeelingwithgreatnes... Startdate: 24/08/2025 Architecture: WINDOWS Score: 100 50 www.mczacji.top 2->50 52 www.jellymint.site 2->52 54 17 other IPs or domains 2->54 68 Suricata IDS alerts for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 7 other signatures 2->74 12 mshta.exe 1 2->12         started        15 explorer.exe 49 157 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 dnsIp5 86 Suspicious powershell command line found 12->86 20 powershell.exe 15 15 12->20         started        23 conhost.exe 12->23         started        66 ax-0003.ax-msedge.net 150.171.28.12, 443, 49737 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->66 88 System process connects to network (likely due to code injection or exploit) 15->88 90 Query firmware table information (likely to detect VMs) 15->90 signatures6 process7 dnsIp8 56 pastefy.app 49.13.5.8, 443, 49718 HETZNER-ASDE Germany 20->56 58 192.3.177.152, 49716, 80 AS-COLOCROSSINGUS United States 20->58 25 aspnet_compiler.exe 20->25         started        28 conhost.exe 20->28         started        30 aspnet_compiler.exe 20->30         started        32 2 other processes 20->32 process9 signatures10 84 Maps a DLL or memory area into another process 25->84 34 VkF3xyynqr.exe 25->34 injected process11 process12 36 PresentationHost.exe 13 34->36         started        signatures13 76 Tries to steal Mail credentials (via file / registry access) 36->76 78 Tries to harvest and steal browser information (history, passwords, etc) 36->78 80 Modifies the context of a thread in another process (thread injection) 36->80 82 3 other signatures 36->82 39 vce1uCTu.exe 36->39 injected 42 chrome.exe 36->42         started        44 explorer.exe 5 4 36->44         started        46 firefox.exe 36->46         started        process14 dnsIp15 60 elementzone.shop 162.255.119.17, 49725, 49726, 49727 NAMECHEAP-NETUS United States 39->60 62 www.jellymint.site 209.74.64.189, 49733, 49734, 49735 MULTIBAND-NEWHOPEUS United States 39->62 64 2 other IPs or domains 39->64 48 WerFault.exe 4 42->48         started        process16
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
Html
Link:
https://app.malva.re/file/bc7a18333dae4096f1bd200270c6b41d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80/
Threat name:
Script-JS.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-08-22 23:31:44 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqv7g5kd6ucyqnyw6j2cs5kemhdbykzftkecsqxftnhm2dzhtoaa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
023c2ffe7b6418affcafe78df6d190107a882de63f55c63a266247c22b11e244
Formbook
6bc677ac4c36cb99e3170edb2b29b8e8b47399a2896f8f0c6fa998b4337bcf35
Formbook
a1ac02a03b7f08e18a025ba93df774106bb832160755290609d8e648f1502e1e
Formbook
b3c254d8249b079be915664ed97ac1423aeb9c2845a8521a2d1a31ff0fd66476
Formbook
c208d8d0493c60f14172acb4549dcb394d2b92d30bcae4880e66df3c3a7100e4
Formbook
c801ef1bc3c89ffa7fe58fce8375a30d3eee3295505e70bd11afa7816f6a0637
Formbook
d58ef7f6352296a5f9052e5bb522a0556037f373b27dd1bf4c53a521f0f7a0a8
Formbook
e119c6c5485307075a1e5d0950a77f978f7f17e23c315ed8c38cc1259b8af26f
Formbook
error
Formbook
+ 22 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook defense_evasion discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250824-sm64wswshy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Modifies trusted root certificate store through registry
Formbook payload
Formbook
Formbook family
Malware Config
Dropper Extraction:
http://192.3.177.152/xampp/optimized_MSI.png
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c2bf37543f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta 8c2bf37543f505883716f27429754461c61c2b259a882942e59b4ecd0f279b80

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3610860/
  
Delivery method
Distributed via web download

Comments