MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db
SHA3-384 hash: 6faba5ec1a2aaa00fa4b757c523d372da20f687233b924238b8321daf3650b8ed6dd443c4c6a66c0745dd546a3b12790
SHA1 hash: efa8a6c5d3a23d99b09fb8de5f148b7a512ae32a
MD5 hash: 192e0bdf7feab112b198a711e6cac2a5
humanhash: orange-zulu-oregon-missouri
File name:wetreatedthemwellwithgreatnesssgoodformebestsettingsforbetterfuture.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:13'279 bytes
First seen:2025-06-01 11:24:23 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:3VQ18CgQrJG8CxsQ+vzNHOmMsAMA4wUXwRkd1SLqq+S8Cp3QuPG:yWK3zHNumMsAM+UXBfu+
Threatray 134 similar samples on MalwareBazaar
TLSH T1B652540B6D70EF1AC34522B4A6CC9CE5B5EC8B7F84055513B0AC0149A3B57ED8DDA283
Magika txt
Reporter skocherhan
Tags:208-89-63-13 FormBook hta


Avatar
skocherhan
http://208.89.63.13/xampp/komo/wetreatedthemwellwithgreatnesssgoodformebestsettingsforbetterfuture.hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Starter.408.22357.24522.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683c3b30668438e362e9b48d
Tags:
trojan shell sage
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db/results/dashboard
Payload URLs
URL
File name
http://208.89.63.13/700/TiWorker.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1703309
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Detected Cobalt Strike Beacon
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queries Google from non browser process on port 80
Queues an APC in another process (thread injection)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses threadpools to delay analysis
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1703309 Sample: wetreatedthemwellwithgreatn... Startdate: 01/06/2025 Architecture: WINDOWS Score: 100 67 www.play-whisper-forge.xyz 2->67 69 paste.ee 2->69 71 8 other IPs or domains 2->71 85 Suricata IDS alerts for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Multi AV Scanner detection for dropped file 2->89 95 13 other signatures 2->95 14 mshta.exe 1 2->14         started        17 wscript.exe 2->17         started        signatures3 91 Performs DNS queries to domains with low reputation 67->91 93 Connects to a pastebin service (likely for C&C) 69->93 process4 signatures5 111 Suspicious command line found 14->111 113 PowerShell case anomaly found 14->113 19 cmd.exe 1 14->19         started        process6 signatures7 97 Detected Cobalt Strike Beacon 19->97 99 Suspicious powershell command line found 19->99 101 PowerShell case anomaly found 19->101 103 Switches to a custom stack to bypass stack traces 19->103 22 powershell.exe 45 19->22         started        27 conhost.exe 19->27         started        process8 dnsIp9 79 208.89.63.13, 49692, 80 AXCELX-NETUS United States 22->79 61 C:\Users\user\AppData\Local\...\TiWorker.exe, PE32 22->61 dropped 63 C:\Users\user\AppData\...\TiWorker[1].exe, PE32 22->63 dropped 65 C:\Users\user\AppData\...\44mvf5cy.cmdline, Unicode 22->65 dropped 107 Loading BitLocker PowerShell Module 22->107 109 Powershell drops PE file 22->109 29 TiWorker.exe 15 6 22->29         started        33 csc.exe 3 22->33         started        file10 signatures11 process12 dnsIp13 81 paste.ee 23.186.113.60, 443, 49694, 49696 KLAYER-GLOBALNL Reserved 29->81 83 ia800101.us.archive.org 207.241.232.11, 443, 49693 INTERNET-ARCHIVEUS United States 29->83 115 Multi AV Scanner detection for dropped file 29->115 117 Writes to foreign memory regions 29->117 119 Allocates memory in foreign processes 29->119 121 5 other signatures 29->121 36 cmd.exe 29->36         started        39 cmd.exe 1 29->39         started        59 C:\Users\user\AppData\Local\...\44mvf5cy.dll, PE32 33->59 dropped 41 cvtres.exe 1 33->41         started        file14 signatures15 process16 signatures17 105 Maps a DLL or memory area into another process 36->105 43 7eYyn2IcxSKl5.exe 36->43 injected 45 conhost.exe 39->45         started        process18 process19 47 cmd.exe 13 43->47         started        signatures20 123 Tries to steal Mail credentials (via file / registry access) 47->123 125 Tries to harvest and steal browser information (history, passwords, etc) 47->125 127 Modifies the context of a thread in another process (thread injection) 47->127 129 2 other signatures 47->129 50 HQSApY2eU.exe 47->50 injected 53 chrome.exe 47->53         started        55 firefox.exe 47->55         started        process21 dnsIp22 73 fourexclothing.shop 84.32.84.32, 49703, 49704, 49705 NTT-LT-ASLT Lithuania 50->73 75 www.gametracker.com 104.17.75.22, 49697, 80 CLOUDFLARENETUS United States 50->75 77 3 other IPs or domains 50->77 57 WerFault.exe 53->57         started        process23
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-05-28 06:37:00 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
13 of 38 (34.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5drobcnoustwxpioyvnlkuynhde6qqauumc6dfjeftqnxpby4lnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
123ef9f91735fa6c4b35a8c68175db0c9be5a84d2ce21e9cd5c4aceec8b25f23
Formbook
1647ef778a94d0cd84ea714757b85c6f62ba9881a0403af8173227808d4a9aa3
Formbook
5331d1eadb8b8727b21f368f5c8edb92b368d88e70c4d76e33f46fe6b55ee0d7
Formbook
96bcd835d13f775f2e1157ba7f4030fabf7e60196b2f511bc67e80ee0e1b6cc0
Formbook
96c21f37b09bea691324579696c175d6a69b960e4010697c7ca1e012eb1300c4
Formbook
a432bcc6e9b898d5bd0d40f24e9c4cbf1b19c2d9de3b1179e5a86216132258d6
Formbook
aa09d38ea66f08ab6306c26b2c3f736450be10e997d0ce8c9c51da056949e6bc
Formbook
b285dad42226c71af623cca37ee52675f265c227f5761033634e72186afc6c61
Formbook
ec35d1cc7941458cc79762055979eff1d904d3d420d8c63b2f7b660657723930
Formbook
error
Formbook
+ 124 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution spyware stealer
Link:
https://tria.ge/reports/250601-nkdx4swry9/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

2ed48855a394621a08fe81cd8bc04e89

Formbook

HTML Application (hta) hta e8e2e089aea4a76bbd0ec55ab5530d38c9e84014a305e195242ce0dbbc38e2db

(this sample)

unknown 453f4775e1c8c08c2baae39011bb2a482360f68f4ac92205a31ed4b3d82601d8

  
Dropped by
MD5 2ed48855a394621a08fe81cd8bc04e89
  
Dropping
SHA256 453f4775e1c8c08c2baae39011bb2a482360f68f4ac92205a31ed4b3d82601d8
  
Dropping
MD5 dd5dcddfcc4362f314c606b51c2d32ed
  
Dropping
SHA256 77828c66318cfe3e96b2afa44d91c211827cde258103c900bfc1138a48656cf0
  
Dropping
MD5 30b717600cfec059fe0c43fca072e05a

Comments