MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be
SHA3-384 hash: 0ddff114774b6751594b56297a6ee3cb27e6f9d039105d69b633908052ac4acbed5e69d7bbbeb61e0afd10ceef8efbbb
SHA1 hash: 0158e7e8cb5d90f2b26928546a03664152eb8594
MD5 hash: 5742824e43f9e8d796d2de8e50c6793a
humanhash: july-asparagus-earth-virginia
File name:PIM_30_10_00193_interser.js
Download: download sample
Signature Formbook
Create hunting rule
File size:4'448'256 bytes
First seen:2025-10-31 18:06:06 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:kcrXa/tGcNs4yxFcfLFGp156sA+j98gZqDpJkQzgerk2uEUmPfTWpe1nvX9+NZ4U:vDaNsd30+jLZqDpJkPErWpW8NZ4WVu0
Threatray 202 similar samples on MalwareBazaar
TLSH T1C426146C856EC2C9939241DC1B12F14EE3C460B90A53CDEA395D729E6F70979183EBB3
Magika javascript
Reporter JAMESWT_WT
Tags:FormBook js Spam-ITA www-grevla-top

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6904fab29942f1282ecaf551
Tags:
obfuscate xtreme spawn
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 base64 evasive fingerprint obfuscated obfuscated opendir overlay powershell repaired
Link:
https://www.filescan.io/uploads/6904fab6a3d1631095243653/reports/4d35d331-41f4-4197-badf-e813ac4ebe81/overview
Verdict:
Malicious
Labled as:
Trojan.Cryxos.JS
Link:
https://www.hybrid-analysis.com/sample/abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be
Verdict:
Malicious
File Type:
js
First seen:
2025-10-30T08:24:00Z UTC
Last seen:
2025-11-02T05:08:00Z UTC
Hits:
~100
Detections:
Trojan.Agentb.TCP.C&C Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be/results?tab=lookup
Verdict:
inconclusive
YARA:
2 match(es)
Tags:
PowerShell
Link:
https://app.malva.re/file/5742824e43f9e8d796d2de8e50c6793a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be/
Verdict:
Malicious
Threat:
Trojan.JS.TCP
Link:
https://tip.neiki.dev/file/abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2025-10-30 11:42:11 UTC
File Type:
Binary
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vo5hrjdhssm4v5v3b4orpxmic3y3hfsv4cncxz3qvewvjxcaok7a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e25a1bb3a7d87a844ccd653adeee5645b56280dd5458ba98e9e7b525f56b2c1
Formbook
2acba1b931e5668cf6d6444a63da78507cd34db9a720e6eb98ea46610c10f09b
Formbook
6370d7905a4128b8353f5cf24c895489be32fe53f5bac553364568abe07c31f4
Formbook
a05790987759904eaacf9334088c089bc2bab90c7223d6e72d3014043a3b72bc
Formbook
b72ad9f5170c18afe5788fff799541fa6e034702ebde25f35279ea39e5385a67
Formbook
b9673438f2064f7660899c46219889f3b76db3b64efcc1d074023bceea7cd043
Formbook
eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0
Formbook
error
Formbook
+ 192 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251031-wp32ssynhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://ia801507.us.archive.org/20/items/msi-pro-with-b-64_20251024/MSI_PRO_with_b64.png
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abba78a46794/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abba78a4679499caf6bb0f1d17dd8816f1b39655e09a2be770a92d54dc4072be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments