MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a
SHA3-384 hash: e57e6c4fdd2926e2c7f494a0726bc66fa200de8d6719d78006e3736a3f853cdbd6d2127155a3c0fe861c664c18ca6a66
SHA1 hash: 6a731a067c7c623b02e3129a2c115e9af5730fc7
MD5 hash: 8f76f7066c7f158340a1458cce6e071e
humanhash: orange-wyoming-six-burger
File name:RE_catalogue_2025_samples_list_revise_RE_8-Jul-2025-Global_Industrial-SF04750078607.JS
Download: download sample
Signature Formbook
Create hunting rule
File size:7'085'447 bytes
First seen:2025-07-08 15:08:35 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:QlKimbJeWRUQWyHeWInJbd/ttCcLEaNHqwu5mv5A5umgSR8c:XuWInJV2
Threatray 9 similar samples on MalwareBazaar
TLSH T1046671964D1FB78271D2DFA02A88B99AD43B56C31B012B3070CC5D09F3ADD5A2DDEB58
Magika javascript
Reporter lowmal3
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686d34aac9eb97473767a17d
Tags:
emotet delphi
Verdict:
Malicious
Labled as:
Trojan/JS.Agent
Link:
https://www.hybrid-analysis.com/sample/9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1731083
Signature
Allocates many large memory junks
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Drops PE files with a suspicious file extension
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses runas.exe to run programs with evaluated privileges
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1731083 Sample: RE_catalogue_2025_samples_l... Startdate: 08/07/2025 Architecture: WINDOWS Score: 100 34 www.planningstake.xyz 2->34 36 www.globalhelix.xyz 2->36 38 2 other IPs or domains 2->38 50 Suricata IDS alerts for network traffic 2->50 52 Yara detected FormBook 2->52 54 Yara detected DBatLoader 2->54 58 6 other signatures 2->58 11 wscript.exe 1 5 2->11         started        signatures3 56 Performs DNS queries to domains with low reputation 36->56 process4 signatures5 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->70 14 RE_catalogue_2025_samples_list_revise_RE_8-Jul-2025-Global_Industrial-SF04750078607.JS.js.pif 1 11->14         started        process6 file7 32 C:\Users\Public\Libraries\vydgdetI.pif, PE32 14->32 dropped 72 Drops PE files with a suspicious file extension 14->72 74 Writes to foreign memory regions 14->74 76 Allocates memory in foreign processes 14->76 78 3 other signatures 14->78 18 vydgdetI.pif 14->18         started        signatures8 process9 signatures10 46 Detected unpacking (changes PE section rights) 18->46 48 Maps a DLL or memory area into another process 18->48 21 EoL7wErJ1zM.exe 18->21 injected process11 signatures12 60 Maps a DLL or memory area into another process 21->60 24 runas.exe 13 21->24         started        process13 signatures14 62 Tries to steal Mail credentials (via file / registry access) 24->62 64 Tries to harvest and steal browser information (history, passwords, etc) 24->64 66 Modifies the context of a thread in another process (thread injection) 24->66 68 3 other signatures 24->68 27 byKO5LHZYIwu.exe 24->27 injected 30 firefox.exe 24->30         started        process15 dnsIp16 40 www.fotka.com 104.26.14.22, 49703, 80 CLOUDFLARENETUS United States 27->40 42 www.globalhelix.xyz 13.248.169.48, 49704, 49705, 49706 AMAZON-02US United States 27->42 44 www.goodtorty.top 103.174.96.189, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 27->44
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a/
Threat name:
Script-JS.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-08 07:37:01 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 24 (41.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tml22ofpqzw7rhwea3lyqhrdytvx3yqf6dvvt62mzhnparidn6na._file
Verdict:
malicious
Label(s):
dbatloader
Create hunting rule
Similar samples:
1361ec5edf9d9f8d6abf071a4303cfce88459b8b3b086cc7f0c7aed4034a501d
Formbook
45c60025b0c1614cdfd8fef880eac8a850424d4af1627f60393b729e2942c719
Formbook
8160be5c40028ff2f6cfd92cf379a94fe627fea67c7790ee4f35084a27d1ed55
Formbook
8a3be79e4d0780160e607165cb38f0b102e95f7d5caf798e94663429eef4bb8e
Formbook
9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a
Formbook
e518eb761b815b60437b518445389edcf9792936833223f2fa9e2b9fda61cd6d
Formbook
error
Formbook
Result
Malware family:
modiloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader discovery execution trojan
Link:
https://tria.ge/reports/250708-sjlzjswmz4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
ModiLoader Second Stage
ModiLoader, DBatLoader
Modiloader family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Java Script (JS) js 9b17ad38af866df89ec406d7881e23c4eb7de205f0eb59fb4cc9daf045036f9a

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments