MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758
SHA3-384 hash: bfc66f985ecb84459113669570cf609ebf1572d35fd5152068d6b58415bf0391bf685e2c19493edae9527afe528cb9d6
SHA1 hash: 0891120d2b3867547e533ef398694c0858f2cd14
MD5 hash: 8d47610408b099f69dbf4aab6f6c1157
humanhash: pluto-magazine-vermont-eighteen
File name:PRQ-26-0162.JS
Download: download sample
Signature Formbook
Create hunting rule
File size:5'790'328 bytes
First seen:2026-01-30 11:21:36 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 98304:6JzXKn37mem+xES+8pyJKGNmOi20DOjcSnETz+1S9YlUsiDkNfKCOc9DJ27uhDg/:6JrsmenxEQpJGJipDlSnE1xDuKTcjyP/
Threatray 2'716 similar samples on MalwareBazaar
TLSH T14C463B843708D0719A27CFBD2A36A9D094995C7738C4CF15B089F9A1BB19D2FEB907B1
Magika javascript
Reporter lowmal3
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.Other.Malware-gen.71137282.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=697c94769a17da7683b49272
Tags:
obfuscate xtreme blic
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 base64 base64 crypto evasive obfuscated obfuscated powershell privilege reconnaissance repaired
Link:
https://www.filescan.io/uploads/697c9471b6bd365f0a697cd0/reports/fde799c1-5c52-494b-89f4-19d1ca9becfd/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758
Verdict:
Malicious
File Type:
js
First seen:
2026-01-29T23:22:00Z UTC
Last seen:
2026-02-01T08:07:00Z UTC
Hits:
~1000
Detections:
Trojan-Spy.Win32.Noon.sb Trojan-Downloader.MSIL.Agent.c Trojan-Downloader.JS.SLoad.sb Trojan.MSIL.Crypt.sb HEUR:Trojan.Win32.Agentb.gen Trojan-Downloader.MSIL.Seraph.d Trojan.JS.SAgent.sb PDM:Trojan.Win32.Generic HEUR:Trojan.PowerShell.Tesre.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1860358
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1860358 Sample: PRQ-26-0162.JS.js Startdate: 30/01/2026 Architecture: WINDOWS Score: 100 38 www.umass.edu 2->38 40 www.formacionenferdep.com 2->40 42 6 other IPs or domains 2->42 54 Malicious sample detected (through community Yara rule) 2->54 56 Yara detected FormBook 2->56 58 Yara detected Powershell decode and execute 2->58 60 8 other signatures 2->60 12 wscript.exe 1 3 2->12         started        signatures3 process4 signatures5 72 Suspicious powershell command line found 12->72 74 Wscript starts Powershell (via cmd or directly) 12->74 76 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->76 78 Suspicious execution chain found 12->78 15 powershell.exe 26 12->15         started        process6 signatures7 80 Writes to foreign memory regions 15->80 82 Suspicious execution chain found 15->82 84 Injects a PE file into a foreign processes 15->84 86 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 15->86 18 RegAsm.exe 15->18         started        21 conhost.exe 15->21         started        process8 signatures9 50 Maps a DLL or memory area into another process 18->50 52 Unusual module load detection (module proxying) 18->52 23 zD2XifkM1uAomy.exe 18->23 injected process10 signatures11 62 Maps a DLL or memory area into another process 23->62 26 clip.exe 13 23->26         started        process12 signatures13 64 Tries to steal Mail credentials (via file / registry access) 26->64 66 Tries to harvest and steal browser information (history, passwords, etc) 26->66 68 Modifies the context of a thread in another process (thread injection) 26->68 70 4 other signatures 26->70 29 qiQnZ7uAIp.exe 26->29 injected 32 chrome.exe 26->32         started        34 firefox.exe 26->34         started        process14 dnsIp15 44 www.bgdfcxo.asia 156.234.154.104, 49698, 49699, 49700 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 29->44 46 www.aa9638.info 45.207.81.51, 49694, 49695, 49696 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 29->46 48 4 other IPs or domains 29->48 36 WerFault.exe 4 32->36         started        process16
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758/
Verdict:
Malicious
Threat:
Trojan-Downloader.MSIL.Noon
Link:
https://tip.neiki.dev/file/a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-01-30 05:00:50 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ux4w7iuccrj6lr2payhbrn3uesmq64xghb6gbsx7gkrv2awcs5ma._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2d69b310e05770207e0dfbc31f64586a5edefe9fa24ec1c66bada9d50a2f5d05
Formbook
533da1872324407ac2f8ccee9315fd3848b9407fdb921236f9a350e0294795e7
Formbook
5c14e62176fe6f93827864b3359fc15f2f36a5d88cbab42799a9494f38137139
Formbook
68d22e4c9a51915c544363615ed5aeb6e1a1c910367c16de46cde01d89953674
Formbook
898577462fa7aab7e8e185c3266d7562954578e3bceaa11e694ce45f0434c347
Formbook
9f9a7fd9f0d602ab0170d36da2e78425d9b469c691bf45dbf66e490d39b4790a
Formbook
ab8f034b89a3f3f3c7a77d3e5824fd4e4deb9734aa650cc78b0c3001e93a2a48
Formbook
b7bb8b7264e4deecc1009400a76c2b8aa1e6c7d972f7908d9b0ab79cb6d788a1
Formbook
error
Formbook
f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335
Formbook
ff76c599e55cf1df34e0ccb7e3c30fa26402c11c3a561b3e33e9d0d3f3483beb
Formbook
+ 2'706 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260130-ngbctaas9a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Formbook payload
Formbook
Formbook family
Malware family:
DnlibLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5f96fa28214/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Java Script (JS) js a5f96fa2821453e5c74f060e18b77424990f72e6387c60caff32a35d02c29758

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments