MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664
SHA3-384 hash: d51d018a5750e2a12aa8f1d4844fc2cf6bf1050303ea1c0a4d9236e4bf0e6fd74ff23d6a0d7c35e529f3540d23a4d0ae
SHA1 hash: 77dd004cd59ba53b9c44716b823a1c39ee293f95
MD5 hash: 4bacf388eda7f9e173282b1577c99b3d
humanhash: artist-six-wisconsin-orange
File name:truelifewithmanmadethingsonherefor.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:13'457 bytes
First seen:2025-04-14 21:16:23 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:OfLhTcmfLh6c5Twaj5wJbxjuurfLhCfLh0cQfLhb+:Ol/Q4watIMerc
Threatray 189 similar samples on MalwareBazaar
TLSH T1D55263C31C20EDAA0300A235A9DC46C2FB6C577E089997577A9D52DFC300B7E52F6286
Magika html
Reporter skocherhan
Tags:192-3-26-143 FormBook hta


Avatar
skocherhan
http://192.3.26.143/xampp/gvc/truelifewithmanmadethingsonherefor.hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Starter.408.3769.21253.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67fd7cf11dba888a93d3e018
Tags:
delphi emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664/results/dashboard
Payload URLs
URL
File name
http://192.3.26.143/440/hkcmd.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint keylogger opendir opendir packed powershell
Link:
https://www.filescan.io/uploads/67fd7b5490767142c3d3e041/reports/60e0ebef-a8b4-4edc-86b4-ff1d3d5ffb7a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664
Result
Threat name:
Cobalt Strike, DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1664909
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Detected Cobalt Strike Beacon
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1664909 Sample: truelifewithmanmadethingson... Startdate: 14/04/2025 Architecture: WINDOWS Score: 100 67 x112.jieruitech.info 2->67 69 www.zthzzyg.top 2->69 71 8 other IPs or domains 2->71 81 Suricata IDS alerts for network traffic 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 7 other signatures 2->87 13 mshta.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 109 Suspicious command line found 13->109 111 PowerShell case anomaly found 13->111 19 cmd.exe 1 13->19         started        65 127.0.0.1 unknown unknown 16->65 signatures6 process7 signatures8 89 Detected Cobalt Strike Beacon 19->89 91 Suspicious powershell command line found 19->91 93 PowerShell case anomaly found 19->93 22 powershell.exe 43 19->22         started        27 conhost.exe 19->27         started        process9 dnsIp10 73 192.3.26.143, 49681, 80 AS-COLOCROSSINGUS United States 22->73 59 C:\Users\user\AppData\Roaming\hkcmd.exe, PE32 22->59 dropped 61 C:\Users\user\AppData\Local\...\hkcmd[1].exe, PE32 22->61 dropped 63 C:\Users\user\AppData\...\4jbortuo.cmdline, Unicode 22->63 dropped 105 Loading BitLocker PowerShell Module 22->105 107 Powershell drops PE file 22->107 29 hkcmd.exe 5 22->29         started        32 csc.exe 3 22->32         started        file11 signatures12 process13 file14 113 Multi AV Scanner detection for dropped file 29->113 115 Writes to foreign memory regions 29->115 117 Allocates memory in foreign processes 29->117 119 4 other signatures 29->119 35 colorcpl.exe 2 29->35         started        38 cmd.exe 1 29->38         started        40 cmd.exe 1 29->40         started        57 C:\Users\user\AppData\Local\...\4jbortuo.dll, PE32 32->57 dropped 42 cvtres.exe 1 32->42         started        signatures15 process16 signatures17 95 Maps a DLL or memory area into another process 35->95 44 jy7dhEfPtuBr.exe 35->44 injected 48 conhost.exe 38->48         started        50 conhost.exe 40->50         started        process18 dnsIp19 75 www.lifway.life 209.74.80.150, 49698, 49699, 49700 MULTIBAND-NEWHOPEUS United States 44->75 77 x112.jieruitech.info 192.197.113.156, 49692, 80 HKKFGL-AS-APHKKwaifongGroupLimitedHK China 44->77 79 3 other IPs or domains 44->79 121 Found direct / indirect Syscall (likely to bypass EDR) 44->121 52 systeminfo.exe 13 44->52         started        signatures20 process21 signatures22 97 Tries to steal Mail credentials (via file / registry access) 52->97 99 Tries to harvest and steal browser information (history, passwords, etc) 52->99 101 Modifies the context of a thread in another process (thread injection) 52->101 103 2 other signatures 52->103 55 firefox.exe 52->55         started        process23
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664/
Threat name:
Script-WScript.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2025-04-08 12:50:43 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sbast6vfp7dbjtx4c5sv7hfq7outsljhdx7jug44ddbiqkoa4zsa._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
04a99b035ce8db252d8a4cf8d8f74fb4be7a0f7392776b0c1b27ff2463935647
Formbook
34c11f6af211f7bc8411e99e4ac10ff5232e9b30d72962852cd2fd20e43c3f01
Formbook
4e83dca9f0fc2e50b3c4b2abd8161e2ee5857286ae7bf9ffa5c789cdf2542052
Formbook
7cbc23bc350f050b9429f3c2b553dd00f04216a80a8103a0607277c106bd7f20
Formbook
a3114edcd192349ce4a5638983bf46a73b279e4bb2962fe263b32e4ea8465b9a
Formbook
ad50c64c49f0ea386631f5c53a2ee7bd952e5168f5234704f9cb4f9be32f5944
Formbook
d0b0ce80bba6791a850094710f1f240de13d9498096e4072e2cb8ef58f9fd329
Formbook
e4808f0dcd8731d7642a89fefad15205ec001eb6f1819280fb664a478a22613b
Formbook
error
Formbook
f919ad3a0b960e8665024b04de0d5e9b9b8bcfd50276cb6ad03ac3a5ff8f1a48
Formbook
+ 179 additional samples on MalwareBazaar
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250414-z42n3a1pv4/
Behaviour
Gathers system information
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Formbook

Excel file xls 02012f3527b46baed9e595d59da675526cfba16c96e38c41cc3659e4557d9cf1

Formbook

HTML Application (hta) hta 904129faa57fc614cefc17655f9cb0fba9392d271dfe9a1b9c18c28829c0e664

(this sample)

  
Dropped by
SHA256 02012f3527b46baed9e595d59da675526cfba16c96e38c41cc3659e4557d9cf1
  
Dropped by
MD5 c9686171da0995fa5db1b39456f4ca98

Comments