MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2eddef5ba0fdb55dc5422ccbee60d219dd23f56f22b446d9a65ac934c3ce2b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash: d2eddef5ba0fdb55dc5422ccbee60d219dd23f56f22b446d9a65ac934c3ce2b8
SHA3-384 hash: 14192df399c3c3ce5cf19142979fdc3e9b6ccc873c34ea04b62b2ad98db2773f000b6df745d8f31429e181ce872a5586
SHA1 hash: 52e7bb286f38365cfa574f5011baf597c3c7cc40
MD5 hash: 3d5d57127992708abdcf252c49c2e367
humanhash: dakota-batman-summer-vegan
File name:USD 184,724.JS
Download: download sample
Signature Formbook
File size:334'526 bytes
First seen:2026-07-16 06:59:28 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 6144:otND5R73E20zBbEIMnaxrbXnQUtEUyTsU66LHt1+cF6BO4YS+ObkgTpU+65roJPJ:k5A3uUNENP6+Ht1+o6BO9S+ObkgTpU+x
TLSH T11064654423D0B9D443C75B7BBA2FA9FDF56A6CC572844487E204F960F8B6206EDE1A34
Magika javascript
Reporter abuse_ch
Tags:FormBook js

Intelligence


File Origin
# of uploads :
1
# of downloads :
123
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
81.4%
Tags:
shellcode shell spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
aspnet_compiler base64 encrypted evasive evasive lolbin obfuscated obfuscated reconnaissance repaired
Verdict:
Malicious
Labled as:
SVM:TrojanDownloader/JS.Nemucod
Verdict:
Malicious
File Type:
js
First seen:
2026-07-16T01:54:00Z UTC
Last seen:
2026-07-16T03:00:00Z UTC
Hits:
~100
Result
Threat name:
FormBook
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
JavaScript source code contains functionality to generate code involving HTTP requests or file downloads
Joe Sandbox ML detected suspicious sample
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential obfuscated javascript found
Queues an APC in another process (thread injection)
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1943364 Sample: USD 184,724.JS.js Startdate: 16/07/2026 Architecture: WINDOWS Score: 100 45 www.savemyvideos.digital 2->45 47 www.ongikarprotidin.com 2->47 49 19 other IPs or domains 2->49 67 Suricata IDS alerts for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for URL or domain 2->71 73 9 other signatures 2->73 11 wscript.exe 21 2->11         started        signatures3 process4 dnsIp5 51 lucciodontologiaintegrada.com.br 192.185.215.107, 443, 49712 NETWORK-SOLUTIONS-HOSTING-NetworkSolutionsLLCUS Brazil 11->51 81 System process connects to network (likely due to code injection or exploit) 11->81 83 JScript performs obfuscated calls to suspicious functions 11->83 85 Wscript starts Powershell (via cmd or directly) 11->85 87 4 other signatures 11->87 15 powershell.exe 16 11->15         started        signatures6 process7 signatures8 97 Writes to foreign memory regions 15->97 99 Injects a PE file into a foreign processes 15->99 18 aspnet_compiler.exe 15->18         started        21 aspnet_compiler.exe 15->21         started        23 conhost.exe 15->23         started        25 28 other processes 15->25 process9 signatures10 53 Modifies the context of a thread in another process (thread injection) 18->53 55 Maps a DLL or memory area into another process 18->55 57 Queues an APC in another process (thread injection) 18->57 59 Found direct / indirect Syscall (likely to bypass EDR) 18->59 27 6CiLyNRFFFF.exe 18->27 injected 61 Unusual module load detection (module proxying) 21->61 63 Switches to a custom stack to bypass stack traces 21->63 process11 signatures12 75 Binary is likely a compiled AutoIt script file 27->75 77 Maps a DLL or memory area into another process 27->77 79 Found direct / indirect Syscall (likely to bypass EDR) 27->79 30 timeout.exe 13 27->30         started        process13 signatures14 89 Tries to steal Mail credentials (via file / registry access) 30->89 91 Tries to harvest and steal browser information (history, passwords, etc) 30->91 93 Modifies the context of a thread in another process (thread injection) 30->93 95 3 other signatures 30->95 33 aq3usZOtROfK4.exe 30->33 injected 37 firefox.exe 30->37         started        process15 dnsIp16 39 www.finanzloewen.com 130.185.109.77, 49751, 49752, 49753 XIRRADE Germany 33->39 41 www.amlgames.site 89.110.89.25, 49743, 49744, 49745 VDSINA-ASRU Russia 33->41 43 11 other IPs or domains 33->43 65 Binary is likely a compiled AutoIt script file 33->65 signatures17
Gathering data
Threat name:
Win32.Dropper.Generic
Status:
Suspicious
First seen:
2026-07-16 07:11:30 UTC
AV detection:
6 of 24 (25.00%)
Threat level:
  3/5
Verdict:
malicious
Label(s):
fantomcrypt
Similar samples:
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Behaviour
Command and Scripting Interpreter: JavaScript
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_obfuscated_JS_obfuscatorio
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments