MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643
SHA3-384 hash: 20a9fce73d74b43702a9268cd7192c3ecc67a0390564adcc8558f00db1cfc35f37038480d92b45a473cb4971f092b4c4
SHA1 hash: c7e1d06c4751026a231041aff39db3a33c9629a5
MD5 hash: 28aab0b0e8f038fa45c26e7447533b98
humanhash: skylark-florida-sink-nevada
File name:28aab0b0e8f038fa45c26e7447533b98.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:156'012 bytes
First seen:2024-08-07 06:52:16 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 768:tm6A3yXNA0AGAexHolOPbDRUgFUToWQiXAZO:ta
TLSH T112E35B57D203F539DB1359FBEA7CAF9113D49E8ACE8C964F40AE44199BD0ADB720C086
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Obfus-360.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26656.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.VBS.Agent-9.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-95.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b319d3aa5b40be0a9fbb2a
Tags:
Execution Exploit Generic Network Stealth Trojan
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66b319cfe7dbbbdfcd0a37ba/reports/02fa06dd-f0f9-435a-8b9e-1b8129d61dda/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
phis.troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1489297
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Antivirus detection for URL or domain
Detected Cobalt Strike Beacon
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Suspicious command line found
Suspicious powershell command line found
Yara detected AntiVM3
Yara detected FormBook
Yara detected obfuscated html page
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1489297 Sample: RMN4figK37.hta Startdate: 07/08/2024 Architecture: WINDOWS Score: 100 44 171.39.242.20.in-addr.arpa 2->44 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Antivirus detection for URL or domain 2->60 62 12 other signatures 2->62 10 mshta.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 68 Suspicious command line found 10->68 70 PowerShell case anomaly found 10->70 16 cmd.exe 1 10->16         started        48 127.0.0.1 unknown unknown 13->48 signatures6 process7 signatures8 50 Detected Cobalt Strike Beacon 16->50 52 Suspicious powershell command line found 16->52 54 PowerShell case anomaly found 16->54 19 powershell.exe 45 16->19         started        24 conhost.exe 16->24         started        process9 dnsIp10 46 69.166.230.221, 49704, 80 PHMGMT-AS1US United States 19->46 36 C:\Users\user\AppData\Roaming\sahost.exe, PE32 19->36 dropped 38 C:\Users\user\AppData\Local\...\sahost[1].exe, PE32 19->38 dropped 40 C:\Users\user\AppData\...\sswcfhst.cmdline, Unicode 19->40 dropped 64 Loading BitLocker PowerShell Module 19->64 66 Powershell drops PE file 19->66 26 sahost.exe 3 19->26         started        29 csc.exe 3 19->29         started        file11 signatures12 process13 file14 72 Multi AV Scanner detection for dropped file 26->72 74 Machine Learning detection for dropped file 26->74 76 Injects a PE file into a foreign processes 26->76 32 sahost.exe 26->32         started        42 C:\Users\user\AppData\Local\...\sswcfhst.dll, PE32 29->42 dropped 34 cvtres.exe 1 29->34         started        signatures15 process16
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643/
Threat name:
Script-WScript.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-08-06 17:04:46 UTC
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wk76dze5yyoildltg6fiagnihbupfcdp4a3qm25nczsx4emo4zbq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
credential_access defense_evasion discovery execution stealer
Link:
https://tria.ge/reports/240807-hnmrjaxcke/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Credentials from Password Stores: Credentials from Web Browsers
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b2bfe1e49dc6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta b2bfe1e49dc61c858d73378a8019a83868f2886fe037066bad16657e118ee643

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3093232/
  
Delivery method
Distributed via web download

Comments