MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb
SHA3-384 hash: 66f3e25a650b2d678e60a5a597e98e02eba2aaaadca198c6ff956c1431de916125f57fdc2a1d9ac9ff2b765c8b814ffd
SHA1 hash: ffee08d4929bacc57dd017decd168fd2972b2638
MD5 hash: 0d4bfe583692885b9ab59e8f10f15d76
humanhash: crazy-aspen-alabama-kansas
File name:wedecidedtoreleasegoodthingsforme.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:28'497 bytes
First seen:2025-05-19 17:28:21 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:/55O6yW0baB5DdyW0bL0YXoVBgd1/l5Li5HcjyW0b3E5e:/5g6yW3BjyWBYXoVBgdLENcjyWsEY
TLSH T162D247E6C7AABC96CD53BB2EF5392724409D192DDCB5C994F651B00A84E4349E0F0ECE
Magika txt
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.28212.6193.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682c328f2f280a98fb422b30
Tags:
obfuscate shell sage
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/682b6a4deb4a449b32487f05/reports/0ebbe42b-ef3f-407b-a2ca-06dcde2699e2/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb
Result
Threat name:
Cobalt Strike
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1694590
Signature
Detected Cobalt Strike Beacon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Uses threadpools to delay analysis
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1694590 Sample: wedecidedtoreleasegoodthing... Startdate: 20/05/2025 Architecture: WINDOWS Score: 96 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected Powershell decode and execute 2->39 41 Sigma detected: Suspicious MSHTA Child Process 2->41 43 2 other signatures 2->43 9 mshta.exe 1 2->9         started        process3 signatures4 45 Suspicious command line found 9->45 47 PowerShell case anomaly found 9->47 49 Uses threadpools to delay analysis 9->49 12 cmd.exe 1 9->12         started        process5 signatures6 51 Detected Cobalt Strike Beacon 12->51 53 Suspicious powershell command line found 12->53 55 PowerShell case anomaly found 12->55 15 powershell.exe 42 12->15         started        20 conhost.exe 12->20         started        process7 dnsIp8 31 107.175.246.32, 49687, 80 AS-COLOCROSSINGUS United States 15->31 27 C:\Users\user\AppData\...\4o0k52q4.cmdline, Unicode 15->27 dropped 33 Uses threadpools to delay analysis 15->33 35 Loading BitLocker PowerShell Module 15->35 22 csc.exe 3 15->22         started        file9 signatures10 process11 file12 29 C:\Users\user\AppData\Local\...\4o0k52q4.dll, PE32 22->29 dropped 25 cvtres.exe 1 22->25         started        process13
Score:
96%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb/
Threat name:
Script-WScript.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2025-05-12 16:04:14 UTC
File Type:
Text (JavaScript)
AV detection:
11 of 37 (29.73%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdsebklfq6cpmsngag7nnjuiurhyyns3yqvqeqqgjxo5obhscpfq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta b0e440a9658784f649a601bed6a688a44f8c365bc42b0242064dddd704f213cb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3547333/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3547343/

Comments