MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165
SHA3-384 hash: a010454a01b0e6909951b77c0dd5493a0266b5fb94338fe70e7e4d5200b012b6ce77b995fefb4c4e79fedd99a656bdaa
SHA1 hash: 26a89db4d0fb5cc3eee4a64fe91a7312f6a47664
MD5 hash: a44b67d4e2626557bbbc11f3e50c258c
humanhash: johnny-butter-uranus-princess
File name:RFQ 11062026.js
Download: download sample
Signature Formbook
Create hunting rule
File size:2'590'099 bytes
First seen:2026-06-11 15:08:35 UTC
Last seen:2026-06-15 12:59:41 UTC
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 768:MNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNS:H
Threatray 124 similar samples on MalwareBazaar
TLSH T110C58F83944D4C272535D7C024C43BA8BEB999FC18E788697D639FE231859CE98F5C3A
Magika javascript
Reporter lowmal3
Tags:FormBook js

Intelligence

File Origin
# of uploads :
6
# of downloads :
152
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
Sanesecurity.Malware.32320.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2aa9bea15110463ee4c61b
Tags:
obfuscate autorun xtreme blic
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
repaired
Link:
https://www.filescan.io/uploads/6a2acfb08161ac6cb55f2cf3/reports/9c2fea87-ec9e-47da-b263-61a53191c72c/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TKB trojan
Link:
https://www.hybrid-analysis.com/sample/d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165
Verdict:
Malicious
File Type:
js
First seen:
2026-06-11T06:24:00Z UTC
Last seen:
2026-06-13T05:29:00Z UTC
Hits:
~1000
Detections:
Trojan.VBS.SAgent.sb PDM:Trojan.Win32.Generic Trojan.JS.SAgent.sb HEUR:Trojan.Script.Startup.gen HEUR:Trojan.Script.Generic HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1926703
Signature
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
JavaScript source code contains functionality to generate code involving a shell, file or stream
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1926703 Sample: RFQ 11062026.js Startdate: 11/06/2026 Architecture: WINDOWS Score: 100 58 www.tradedsglobal.com 2->58 60 www.rnlforce.com 2->60 62 9 other IPs or domains 2->62 82 Suricata IDS alerts for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 88 10 other signatures 2->88 11 powershell.exe 14 16 2->11         started        15 wscript.exe 1 3 2->15         started        18 wscript.exe 1 2->18         started        signatures3 process4 dnsIp5 70 tradedsglobal.com 45.136.5.4, 49715, 49723, 49724 AS-PIXOOFTR Turkey 11->70 100 Writes to foreign memory regions 11->100 102 Injects a PE file into a foreign processes 11->102 104 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 11->104 20 CasPol.exe 11->20         started        23 conhost.exe 11->23         started        54 C:\Users\...\RFQ 11062026.js:Zone.Identifier, ASCII 15->54 dropped 56 C:\Users\user\AppData\...\RFQ 11062026.js, Unicode 15->56 dropped 106 Suspicious powershell command line found 15->106 108 Wscript starts Powershell (via cmd or directly) 15->108 110 Drops script or batch files to the startup folder 15->110 112 3 other signatures 15->112 25 powershell.exe 18->25         started        file6 signatures7 process8 signatures9 90 Maps a DLL or memory area into another process 20->90 92 Unusual module load detection (module proxying) 20->92 27 J0FzIot87vMo.exe 20->27 injected 94 Writes to foreign memory regions 25->94 96 Injects a PE file into a foreign processes 25->96 30 CasPol.exe 25->30         started        32 conhost.exe 25->32         started        process10 signatures11 98 Maps a DLL or memory area into another process 27->98 34 comp.exe 13 27->34         started        37 psr.exe 27->37         started        39 mjdBzFOte1k.exe 30->39 injected process12 signatures13 72 Tries to steal Mail credentials (via file / registry access) 34->72 74 Tries to harvest and steal browser information (history, passwords, etc) 34->74 76 Modifies the context of a thread in another process (thread injection) 34->76 80 3 other signatures 34->80 41 F6KcNRj8G.exe 34->41 injected 44 chrome.exe 34->44         started        46 firefox.exe 34->46         started        78 Maps a DLL or memory area into another process 39->78 48 comp.exe 39->48         started        50 psr.exe 39->50         started        process14 dnsIp15 64 www.onyudental.co.kr 218.38.12.152, 49727, 80 SKB-ASSKBroadbandCoLtdKR South Korea 41->64 66 www.flipmoneyapp.com 88.208.252.9, 49729, 49730, 49731 IONOS-ASThisisthejointnetworkforIONOSFasthostsArsys11MailandMediaand11TelecomFormerlyknownas11InternetSEDE United Kingdom 41->66 68 4 other IPs or domains 41->68 52 WerFault.exe 4 44->52         started        process16
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165/
Verdict:
Malicious
Threat:
Family.REVERSELOADER
Link:
https://tip.neiki.dev/file/d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-06-11 12:27:46 UTC
File Type:
Binary
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=23lptqawbt337klqs72y62wprsx4rplfpn5oxpjsn7val2n4gfsq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
072001c16c0663baaefe3741453b288bf13f38e9faf43a693fae3bed70a6dfba
Formbook
072390f5cd7fcc48e7f9c622adadbb70e58ec12ec3740897ce267e075a27033e
Formbook
1dd645d051d6f65180033662ce1e9dbc1d5a28ec8bd3d1298746903d537cff38
Formbook
2f73a285521422b982102ab6755a503efeb36a1719da5b8f3153e094220f5300
Formbook
34176dbfc22053f8b953daa3176bd55ec642f8e23adfae9431b35e6d97d5984b
Formbook
7260bf9530e349bb1e8037739ca6ef4c28404f305f70f44087a6156f0c32c678
Formbook
788919bf34d3a23ab0480f0d86627aed25101822f71e0c0037f09b0ced427a5a
Formbook
92354fb4e971d88d3b4aee3e946ad8364f7a302de82acaa1ea7bcb233b2c463e
Formbook
ba6191d098d270dc482e37488db22600e3014b2ccbbd64eab9d259733aaa90d4
Formbook
cc9404c26313da4d1c83f107c793edd68da52378d48328d27da16ad72b51b4e3
Formbook
error
Formbook
+ 114 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution rat spyware stealer trojan
Link:
https://tria.ge/reports/260611-sh83paf18y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Family: Formbook
Formbook payload
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://tradedsglobal.com/optimized_MSIlatino.png
Malware family:
BabelVM
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d6d6f9c0160c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Java Script (JS) js d6d6f9c0160cf7bfa97097f58f6acf8cafc8bd657b7aebbd326fea05e9bc3165

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments