MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896
SHA3-384 hash: 61bae473f83a283d270779c0c083ad131c0d7469b207f504d096cc30bc3b03fc4c689150de176e6b73bd70198607294d
SHA1 hash: 0ed61709bb8a7cd73d1a25f65095da06971c9d2f
MD5 hash: 0e1d17ff6c3f796bfdfab2e8f717ca08
humanhash: rugby-robin-high-alabama
File name:0e1d17ff6c3f796bfdfab2e8f717ca08.js
Download: download sample
Signature Formbook
Create hunting rule
File size:61'522 bytes
First seen:2026-03-12 19:55:33 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 384:fvIDvaoi76nxjQuq8g+h1E8sh1LqMP7LA36455CPnFy16ep5inQTUPYrwuGqir24:YWxxE6vsZC7
Threatray 2'659 similar samples on MalwareBazaar
TLSH T17C5374BF00A7D84D0D1014EE96C135871E8D81224F784D8B86A7B2D9FB526BB7F27C59
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.JS.Packed.165.20337.2632.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b31a475a439615ccbfd085
Tags:
obfuscate xtreme shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm fingerprint repaired
Link:
https://www.filescan.io/uploads/69b31a71677ac46843a48f11/reports/b58ad7d9-2c88-48c8-b733-908fab60c981/overview
Verdict:
Malicious
Labled as:
JS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896
Verdict:
Malicious
File Type:
js
Detections:
Trojan-Downloader.SLoad.TCP.ServerRequest Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1882961
Signature
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1882961 Sample: wmF1DHZaZ6.js Startdate: 12/03/2026 Architecture: WINDOWS Score: 100 23 dpaste.com 2->23 25 cnt-logiistics.com 2->25 27 10 other IPs or domains 2->27 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 47 11 other signatures 2->47 8 wscript.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 45 Connects to a pastebin service (likely for C&C) 23->45 process4 dnsIp5 49 Suspicious powershell command line found 8->49 51 Wscript starts Powershell (via cmd or directly) 8->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->53 55 2 other signatures 8->55 14 powershell.exe 14 17 8->14         started        29 127.0.0.1 unknown unknown 11->29 signatures6 process7 dnsIp8 31 cnt-logiistics.com 152.53.177.75, 443, 49683 NCRENUS United States 14->31 33 pastefy.app 172.67.188.196, 443, 49682 CLOUDFLARENETUS United States 14->33 35 webapp-837091.pythonanywhere.com 35.173.69.207, 443, 49681 AMAZON-AESUS United States 14->35 57 Writes to foreign memory regions 14->57 59 Modifies the context of a thread in another process (thread injection) 14->59 61 Injects a PE file into a foreign processes 14->61 18 MSBuild.exe 14->18         started        21 conhost.exe 14->21         started        signatures9 process10 signatures11 37 Found direct / indirect Syscall (likely to bypass EDR) 18->37
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.TCP
Link:
https://tip.neiki.dev/file/b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 18:06:38 UTC
File Type:
Text (JavaScript)
AV detection:
10 of 37 (27.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wegvr4v4idul6vaaqhmemsuchaq5zeygrsjzbox67jn72r6kxcla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
Formbook
1bc5f2d3c8d9ff144f16a61e4019689ebd77097ca6ac91f86ad1184275d301d6
Formbook
4d2d2c6efbb042ae0af1b79c8cc52237998ec70df56afd418abbacc48d9d3395
Formbook
528eeaa729b13527924b13dc4dfd8264c93535ae8401d8d812c8a5f329dce2ce
Formbook
770165df1cb9509cd4a8b726d1132c0cbf0161d50ee2649fcd27bab024869a6f
Formbook
c506931fb1c4252abed4ab22d82f2ebc88e46f58dd83ddca62b03c5ea6d8dc1e
Formbook
d08410a7c99152b4b46a8f6e686353d0a0a0be18eff6358322b72c28e43bda53
Formbook
dc266cd65df56ade7508b58528c42fde8f42f203c03fa28eecdcd4893a2f4448
Formbook
e6e25f32a6c1307f55d18e48d5d53f3f8c4bbce049480339bc1530b414b195de
Formbook
error
Formbook
f0a98a72b7b1c86ac4ce457e7978a46e8af53393e1007d2fe94306bb042388d1
Formbook
+ 2'649 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260312-ynwmfadt6k/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Badlisted process makes network request
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b10d58f2bc40e8bf540081d8464a823821dc93068c9390bafefa5bfd47cab896

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments