MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0
SHA3-384 hash: 0fc25eae505e92fa8f8967b74d7f442d1f1ed6a63b819588ee7a8991eb5b0d4ebf273fe9a78ae2a91e696f93f0c2f803
SHA1 hash: 89799648211cca94a30f88bd39381364ec84c5b0
MD5 hash: 10caf80a031af75173afb598d1a33abc
humanhash: xray-equal-cup-stairway
File name:greatnewforeverybodythingsgood.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:28'492 bytes
First seen:2025-05-15 18:42:12 UTC
Last seen:2025-05-17 21:26:04 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:/Do2PIg1IyPI5foIRaqngkU1VxiWt9P8PoDKDVFIL4nPIw9:/sjg1I/toIRaNB9KDVFIL4Am
TLSH T19DD248EAD7AABD86CD53BA2EF5386314415D192DC8BAC884FA41700698E4345F5F0ECF
Magika txt
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.JS.Starter.96.18069.26490.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6826368a4a59e5a2ce04f002
Tags:
vmdetect autoit emotet
Result
Verdict:
Clean
File Type:
HTA File
Link:
https://app.docguard.net/d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0/results/dashboard
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/682635bfbff72ff46b64adce/reports/1366f385-b277-4e74-880f-6ed21dab4701/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.67488806
Link:
https://www.hybrid-analysis.com/sample/d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1691121
Signature
Binary is likely a compiled AutoIt script file
Detected Cobalt Strike Beacon
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1691121 Sample: greatnewforeverybodythingsg... Startdate: 15/05/2025 Architecture: WINDOWS Score: 100 62 www.fasadmebelchelny.store 2->62 64 www.powerplants.info 2->64 66 3 other IPs or domains 2->66 84 Suricata IDS alerts for network traffic 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected FormBook 2->88 90 6 other signatures 2->90 14 mshta.exe 1 2->14         started        signatures3 process4 signatures5 116 Suspicious command line found 14->116 118 PowerShell case anomaly found 14->118 17 cmd.exe 1 14->17         started        process6 signatures7 76 Detected Cobalt Strike Beacon 17->76 78 Suspicious powershell command line found 17->78 80 PowerShell case anomaly found 17->80 20 powershell.exe 45 17->20         started        25 conhost.exe 17->25         started        process8 dnsIp9 68 208.89.61.141, 49719, 80 AXCELX-NETUS United States 20->68 54 C:\Users\user\AppData\Local\...\TiWorker.exe, PE32 20->54 dropped 56 C:\Users\user\AppData\...\TiWorker[1].exe, PE32 20->56 dropped 58 C:\Users\user\AppData\...\ewe02iwa.cmdline, Unicode 20->58 dropped 92 Loading BitLocker PowerShell Module 20->92 94 Powershell drops PE file 20->94 27 TiWorker.exe 2 20->27         started        30 csc.exe 3 20->30         started        file10 signatures11 process12 file13 106 Binary is likely a compiled AutoIt script file 27->106 108 Writes to foreign memory regions 27->108 110 Maps a DLL or memory area into another process 27->110 112 Switches to a custom stack to bypass stack traces 27->112 33 svchost.exe 27->33         started        60 C:\Users\user\AppData\Local\...\ewe02iwa.dll, PE32 30->60 dropped 36 cvtres.exe 1 30->36         started        signatures14 process15 signatures16 82 Maps a DLL or memory area into another process 33->82 38 6u7Pu3BwDMT9bMpLaASE.exe 33->38 injected process17 signatures18 96 Found direct / indirect Syscall (likely to bypass EDR) 38->96 41 tzutil.exe 13 38->41         started        process19 signatures20 98 Tries to steal Mail credentials (via file / registry access) 41->98 100 Tries to harvest and steal browser information (history, passwords, etc) 41->100 102 Modifies the context of a thread in another process (thread injection) 41->102 104 3 other signatures 41->104 44 6u7Pu3BwDMT9bMpLaASE.exe 41->44 injected 48 chrome.exe 41->48         started        50 firefox.exe 41->50         started        process21 dnsIp22 70 www.fasadmebelchelny.store 103.224.182.242, 49726, 49727, 49728 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 44->70 72 www.powerplants.info 141.8.194.53, 80 SPRINTHOSTRU Russian Federation 44->72 74 2 other IPs or domains 44->74 114 Found direct / indirect Syscall (likely to bypass EDR) 44->114 52 WerFault.exe 4 48->52         started        signatures23 process24
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-05-15 12:17:32 UTC
File Type:
Text (JavaScript)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2f73gbavbcpwbwchmsgxh6mehclxu7n43swl3t6javh3hfkx6hia._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250515-xczpaayrt3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d17fb3041508/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta d17fb30415089f60d847648d73f98438977a7dbcdcacbdcfc9054fb39557f1d0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3544186/
  
Delivery method
Distributed via web download

Comments