MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313
SHA3-384 hash:	f22fb24c4ee5f2b1acdef8a4629ae627726a15d44a9f077c2d39184f12d97919cc8db4cf81e755d35f3401f5dfd5f5b9
SHA1 hash:	e6e7e6abdcdd40d52ae74ab6604bb7667b57fdd1
MD5 hash:	c58de2200934510c52e700b155a7f4b4
humanhash:	twenty-asparagus-texas-floor
File name:	Quotation.js
Download:	download sample
Signature	Formbook Create hunting rule
File size:	2'124'812 bytes
First seen:	2025-10-14 13:45:23 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	24576:W4chRU7p6tJShYGCjoY+3flJohFG/Yp7Sq4+FsZoO9P/6IXB43D49fPJlgyng3jJ:jUShdCjoRPoyg7FsZxRM7G1cb
Threatray	2'086 similar samples on MalwareBazaar
TLSH	T183A5E0348D1AAC4A3FAD49C748DC2DC54D6C1B93822C97F89B4C737A62AD5119EED0BC
Magika	vba
Reporter	abuse_ch
Tags:	FormBook js

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ee543a97a16d00a8d9df3d

Tags:

delphi spawn virus blic

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 dropper fingerprint keylogger obfuscated obfuscated packed packed redcap

Link:

https://www.filescan.io/uploads/68ee561f71883144ef3674b9/reports/a5cd0d17-6915-4d1c-8e49-6136deedc115/overview

Verdict:

Malicious

Labled as:

GT:JS.Cbum.1

Link:

https://www.hybrid-analysis.com/sample/d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313

Verdict:

Malicious

File Type:

First seen:

2025-10-14T04:37:00Z UTC

Last seen:

2025-10-16T03:42:00Z UTC

Hits:

~100

Detections:

Trojan-Spy.Win32.Noon.sb Trojan-PSW.Win32.Stealer.sb Trojan-Dropper.JS.SDrop.sb Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.Script.SAgent.gen HEUR:Trojan.Script.Generic PDM:Trojan.Win32.Generic HEUR:Trojan-PSW.Win32.DarkCloud.gen

Link:

https://opentip.kaspersky.com/d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313/results?tab=lookup

Result

Threat name:

DBatLoader, FormBook

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1794913

Signature

Allocates many large memory junks

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Benign windows process drops PE files

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Detected unpacking (changes PE section rights)

Drops PE files to the user root directory

Joe Sandbox ML detected suspicious sample

JScript performs obfuscated calls to suspicious functions

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Sigma detected: WScript or CScript Dropper

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected DBatLoader

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313/

Verdict:

Malicious

Threat:

Family.MODILOADER

Link:

https://tip.neiki.dev/file/d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313

Threat name:

Script-JS.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-10-14 13:32:09 UTC

File Type:

Text

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2xxeq7dbmuznvm6am5k7rx2neaihfwav42d7pzevwjdycfzpqmjq._file

Verdict:

malicious

Label(s):

dbatloader

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:formbook family:modiloader discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/251014-q737mabj7s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Formbook payload

ModiLoader Second Stage

Formbook

Formbook family

ModiLoader, DBatLoader

Modiloader family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/d5ee487c616532dab3c06755f8df4d201072d815e687f7e495b24781172f8313

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample