MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b21946e35eb24a01925c34e3bf45a73b0d4b4a1af64e1b5625521e78200d4a15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b21946e35eb24a01925c34e3bf45a73b0d4b4a1af64e1b5625521e78200d4a15
SHA3-384 hash: f30a0345fa661aedce12f210803caef508345ae9058fc66597af545f388d0600e40e599fec153fb81f75048e040b095c
SHA1 hash: 929f3ea569f3bb02ae62a41bcd770ff54314ede3
MD5 hash: ad9ed7093a901517fe484abaa7f321b0
humanhash: oven-magazine-twenty-india
File name:P0 #1037596.js
Download: download sample
Signature Formbook
Create hunting rule
File size:1'343 bytes
First seen:2024-09-28 06:24:47 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 24:xivdGURlWQ+i64qN8KUUA8bSHoXJWdwBezcA8txuktup6RyFmz+r8qvxEydZ0E+V:xivdhWrsixuyJWSq4zTV71px
Threatray 26 similar samples on MalwareBazaar
TLSH T1962132489CD7C3A5E342D7C7C264CD06C9DFAC996136C11ABA8CDEC63F121F846704AA
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence

File Origin
# of uploads :
1
# of downloads :
404
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Shelter.Malware.DC.Ext.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.25834.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f7a1464b14762f62126ecc
Tags:
Infostealer Network Stealth Trojan Dropper Tori Msil
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/66f7a144f71b9c224c13f0b8/reports/cf76d10d-637e-4e06-b5b0-c3ccab0802db/overview
Verdict:
Malicious
Labled as:
Trojan_Script_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/b21946e35eb24a01925c34e3bf45a73b0d4b4a1af64e1b5625521e78200d4a15
Result
Verdict:
SUSPICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1521385
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Benign windows process drops PE files
Injects a PE file into a foreign processes
JavaScript file contains suspicious strings
JavaScript source code contains functionality to generate code involving a shell, file or stream
JScript performs obfuscated calls to suspicious functions
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b21946e35eb24a01925c34e3bf45a73b0d4b4a1af64e1b5625521e78200d4a15/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-09-27 13:59:18 UTC
File Type:
Text (VBS)
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wimuny26wjfades4gtr36rnhhmguwsq26zhbwvrfkiphqianjikq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0f54e889dff4b6c6d8c1d984304299bc640fe3e0fa4b80b13b8d263c9034fff4
Formbook
2d623f8bc94955d09dc64cac80580b20c1d503263af7ac609cd4d1106f0f7ee4
Formbook
3b0a3b5b9b2b7b85715e23728437f0a31c9155ad06a50ddffb3a14616b0eb159
Formbook
594db372022016f6e585ebdba18d74c642ce91613bdb2925d11b0e499c9d46d9
Formbook
9bf5e6cbdb4879d457b4e9e870b7c174a5531a2b94ce5b66905b0de5da03c07d
Formbook
b544120c3bf8a43dc8cdee33b9ecab916b04e1fb9a540e247da066ede6f4e8fe
Formbook
c92569308b1a9401adadabed9b6fee51e4c49d806b1b5c91188a2ec8e44c8917
Formbook
dd81acfcf7274df705c2e1a99e0484f710b7349a36c9156230fe505153fd2039
Formbook
e1f6fcf313a740a6df4d2ee3903d1fcf9e761b6355cf9444845666c332c33e4c
Formbook
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/240928-g6mc2stdqc/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b21946e35eb24a01925c34e3bf45a73b0d4b4a1af64e1b5625521e78200d4a15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments