MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873
SHA3-384 hash: 662f0273d70d45d0cb0ae96718ad08ee94f31d6d82af47264962cc2217c3a791079f2aa93afba59c5a67d72a355867ce
SHA1 hash: 7e191e2a20ff2af2cf14d24bdf9dfd337aaf1364
MD5 hash: da18ddbacda7b0c9fc92ae0540c9d6d2
humanhash: five-lake-delaware-eleven
File name:blessed.ps1
Download: download sample
Signature Formbook
Create hunting rule
File size:451'364 bytes
First seen:2025-02-14 11:05:46 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12288:/V8elXITf68gOcHHrDcsZBD1Ne0jwWn2NPy4:94Ty8gTHLI+lEW2Nq4
Threatray 11 similar samples on MalwareBazaar
TLSH T180A4E0308818B92FCEEF1F87B1A42FC73C791577DD581409A48F59B95E2823819BAF64
Magika powershell
Reporter JAMESWT_WT
Tags:196-251-92-64 FormBook ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67af247b28ab76d43a5ae72d
Tags:
virus shell spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuserex crypt dropper obfuscated obfuscated packed packed powershell
Link:
https://www.filescan.io/uploads/67af23a841f6d21e6a3b27c2/reports/a12576ce-05fc-4189-9996-946b1e6fd010/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1615021
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615021 Sample: blessed.ps1 Startdate: 14/02/2025 Architecture: WINDOWS Score: 100 54 www.031233226.xyz 2->54 56 www.rwcthha.top 2->56 58 13 other IPs or domains 2->58 68 Suricata IDS alerts for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 76 5 other signatures 2->76 11 powershell.exe 16 2->11         started        15 explorer.exe 2->15         started        17 explorer.exe 4 132 2->17         started        20 4 other processes 2->20 signatures3 74 Performs DNS queries to domains with low reputation 54->74 process4 dnsIp5 48 C:\Users\user\AppData\Local\Temp\x.exe, PE32 11->48 dropped 96 Suspicious execution chain found 11->96 98 Found suspicious powershell code related to unpacking or dynamic code loading 11->98 100 Powershell drops PE file 11->100 22 x.exe 3 11->22         started        25 conhost.exe 11->25         started        102 System process connects to network (likely due to code injection or exploit) 15->102 104 Query firmware table information (likely to detect VMs) 15->104 50 a-0003.a-msedge.net 204.79.197.203, 443, 50008, 50017 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->50 27 WerFault.exe 17->27         started        52 127.0.0.1 unknown unknown 20->52 29 WerFault.exe 20->29         started        file6 signatures7 process8 signatures9 86 Antivirus detection for dropped file 22->86 88 Multi AV Scanner detection for dropped file 22->88 90 Writes to foreign memory regions 22->90 92 2 other signatures 22->92 31 RegAsm.exe 22->31         started        process10 signatures11 106 Maps a DLL or memory area into another process 31->106 34 Rjz4nst3KK68RY02KKzQnkK.exe 31->34 injected process12 signatures13 66 Found direct / indirect Syscall (likely to bypass EDR) 34->66 37 wiaacmgr.exe 13 34->37         started        process14 signatures15 78 Tries to steal Mail credentials (via file / registry access) 37->78 80 Tries to harvest and steal browser information (history, passwords, etc) 37->80 82 Modifies the context of a thread in another process (thread injection) 37->82 84 3 other signatures 37->84 40 Rjz4nst3KK68RY02KKzQnkK.exe 37->40 injected 44 explorer.exe 4 4 37->44         started        46 firefox.exe 37->46         started        process16 dnsIp17 60 www.rwcthha.top 38.181.35.142, 49993, 49994, 49995 COGENT-174US United States 40->60 62 www.efvvvb.info 47.83.1.90, 49997, 49998, 49999 VODANETInternationalIP-BackboneofVodafoneDE United States 40->62 64 6 other IPs or domains 40->64 94 Found direct / indirect Syscall (likely to bypass EDR) 40->94 signatures18
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873/
Threat name:
Script-PowerShell.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-02-07 08:51:54 UTC
File Type:
Text
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsx4pjkuvcmgfe5x5dnzpsfzqr2t66igvnfza5d64gd3txok7bzq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
003322cf9021b6afa90bd2af7a0e2d5c9d3dccc166b2c703004e37618953563a
Formbook
0574298c67f144f1af0558651e6dd61aa9de001fbffd5a17c041732460556d7c
Formbook
660559126a18c4f38218b2efda9bc42d439756afd82350c9d89f9f6749436148
Formbook
8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873
Formbook
9a815a1a9b543193df99c1dbe141520d7f85fce96016c40490eedfc7c13b15f4
Formbook
b9aec4456156a193af2b3615f547fe796fc98aa7cf1587f6cab95fa92daaca7d
Formbook
dac971c09595219e2190a7e73cd539496d26f4981c8a3e8a566aecd2dec7e7a4
Formbook
error
Formbook
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250214-m7hn5strfx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_PS1_FromBase64String_Content_Indicator_RID3714
Create hunting rule
Author:Florian Roth
Description:Detects suspicious base64 encoded PowerShell expressions
Reference:https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

PowerShell (PS) ps1 8cafc7a554a8986293b7e8db97c8b984753f7906ab4b90747ee187b9ddcaf873

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3418686/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3439288/

Comments