MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8
SHA3-384 hash: 2c2fada1762d2ef0855a71d01d622622f0b1c9f1162dc315f22bb3561926db12cdbd162473fdc0b7bee673b2c0ff11ff
SHA1 hash: dc08253d755b854c75798d2a485b3d3c4c255650
MD5 hash: 6938070b1b9f9ad45f99b27d20d109cf
humanhash: mississippi-dakota-bulldog-black
File name:TAM0018.JS
Download: download sample
Signature Formbook
Create hunting rule
File size:4'047'126 bytes
First seen:2026-06-15 13:28:58 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:H2PdpfEJTbYQQbF8v6SV0Uc6jwM6IaAOUJywEuaK71uzCyFP+mNCpitjn9OKH2H2:CEJMbCq2WBAO62IyFP7NCpoJWHVdSWe1
TLSH T18216C4200314C571D26C5B6DE675BA28150D298B50F9FB0D39AA47B43376E33A3BE7E2
Magika txt
Reporter James_inthe_box
Tags:exe FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
US US
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.31320.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2ffe42a15110463ee60ce0
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 dropper evasive obfuscated obfuscated packed repaired
Link:
https://www.filescan.io/uploads/6a2ffe3d1f652d686580d5f2/reports/cce5afff-4789-4598-9530-15bee8b5b6dd/overview
Verdict:
Malicious
Labled as:
DR/JS.Dropper
Link:
https://www.hybrid-analysis.com/sample/97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8
Verdict:
Malicious
File Type:
js
First seen:
2026-06-14T23:25:00Z UTC
Last seen:
2026-06-15T09:54:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1928026
Signature
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found API chain indicative of debugger detection
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1928026 Sample: TAM0018.JS Startdate: 15/06/2026 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 9 wscript.exe 3 2->9         started        process3 file4 31 C:\Users\Public\...\FVAGIVGLWSPGBCIH.exe, PE32 9->31 dropped 33 C:\Users\Public\...\FVAGIVGLWSPGBCIH.ttf, ASCII 9->33 dropped 65 Benign windows process drops PE files 9->65 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->67 13 FVAGIVGLWSPGBCIH.exe 9->13         started        signatures5 process6 signatures7 69 Found API chain indicative of debugger detection 13->69 71 Maps a DLL or memory area into another process 13->71 16 pg473VWTnt.exe 13->16 injected process8 signatures9 47 Maps a DLL or memory area into another process 16->47 19 sdiagnhost.exe 1 20 16->19         started        process10 dnsIp11 35 sqlite.org 194.195.208.62, 49162, 80 AKAMAI-LINODE-APAkamaiConnectedCloudSG United States 19->35 37 www.sqlite.org 19->37 29 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 19->29 dropped 57 Tries to steal Mail credentials (via file / registry access) 19->57 59 Tries to harvest and steal browser information (history, passwords, etc) 19->59 61 Maps a DLL or memory area into another process 19->61 63 2 other signatures 19->63 24 firefox.exe 19->24         started        27 5m2wfsC1JP4.exe 19->27 injected file12 signatures13 process14 dnsIp15 39 www.szorpeszet.hu 24->39 41 mutiusinazita.com 129.232.206.186, 49175, 49176, 49177 xneeloZA South Africa 27->41 43 szorpeszet.hu 185.111.89.228, 49161, 49166, 49168 WEBSUPPORT-SRO-SK-ASSK Hungary 27->43 45 5 other IPs or domains 27->45
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8/
Verdict:
Malicious
Threat:
Trojan-Spy.Win32.Noon
Link:
https://tip.neiki.dev/file/97d38f358fcd1829bd281b8218e7ee32cd2ea0b0e649adea2dc25ecf168751a8
Threat name:
Script-JS.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-06-15 12:59:42 UTC
File Type:
Binary
AV detection:
5 of 36 (13.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7jy6nmpzumctpjidobbrz7oglgs5ifq4ze232rnyjpm6fuhkgua._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260615-qrh7hses3p/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Family: Formbook
Formbook payload
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments