MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb
SHA3-384 hash: f59efeda9e7cac01aa24891243a0752b279769df26b163d453134971fd834082daa521502cfdf2e866b5f2920ea057b3
SHA1 hash: f57acf51be47f685cf78c70e0c380163918d4a4c
MD5 hash: d588b40f7fbf15af9f1a4af0fc7a1cca
humanhash: music-snake-six-mexico
File name:glued.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:10'337 bytes
First seen:2024-11-09 12:06:09 UTC
Last seen:2025-02-21 11:36:35 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:E7WZCJFZgAQFG5NQFN5nMlsPcNb18c1c182HgY84cIfCND6JEzLH0oc1c1Ga55Eg:Gt148cW5rqkn
Threatray 142 similar samples on MalwareBazaar
TLSH T19722F0E18252EBFF36D72DD5C407B08F9548C3E7605BB0E4B9D2941D9B6F8E18848DA2
Magika vba
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
3
# of downloads :
4'264
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.17498.22909.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=672f50836c614f3030a3c91f
Tags:
valyria gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper packed powershell
Link:
https://www.filescan.io/uploads/672f5067f89762b373f3b43a/reports/077a520f-8e67-4494-9b59-86c0df462333/overview
Verdict:
Malicious
Labled as:
Valyria
Link:
https://www.hybrid-analysis.com/sample/eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1552801
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1552801 Sample: glued.hta Startdate: 09/11/2024 Architecture: WINDOWS Score: 100 49 www.joyesi.xyz 2->49 51 www.techchains.info 2->51 53 17 other IPs or domains 2->53 59 Suricata IDS alerts for network traffic 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 67 6 other signatures 2->67 11 mshta.exe 1 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 65 Performs DNS queries to domains with low reputation 49->65 process4 dnsIp5 79 Suspicious powershell command line found 11->79 17 powershell.exe 15 17 11->17         started        55 127.0.0.1 unknown unknown 14->55 signatures6 process7 dnsIp8 41 armanayegh.com 185.94.96.102, 49704, 80 NETMIHANIR Iran (ISLAMIC Republic Of) 17->41 39 C:\Users\user\AppData\Roaming\bin.exe, PE32 17->39 dropped 69 Powershell drops PE file 17->69 22 bin.exe 17->22         started        25 conhost.exe 17->25         started        file9 signatures10 process11 signatures12 71 Antivirus detection for dropped file 22->71 73 Multi AV Scanner detection for dropped file 22->73 75 Machine Learning detection for dropped file 22->75 77 Maps a DLL or memory area into another process 22->77 27 BFXigZNUgUTIkOxscUFddEDXBVrWI.exe 22->27 injected process13 signatures14 81 Found direct / indirect Syscall (likely to bypass EDR) 27->81 30 netbtugc.exe 13 27->30         started        process15 signatures16 83 Tries to steal Mail credentials (via file / registry access) 30->83 85 Tries to harvest and steal browser information (history, passwords, etc) 30->85 87 Modifies the context of a thread in another process (thread injection) 30->87 89 3 other signatures 30->89 33 BFXigZNUgUTIkOxscUFddEDXBVrWI.exe 30->33 injected 37 firefox.exe 30->37         started        process17 dnsIp18 43 www.rssnewscast.com 91.195.240.94, 49992, 49993, 49994 SEDO-ASDE Germany 33->43 45 elettrosistemista.zip 195.110.124.133, 50000, 50001, 50002 REGISTER-ASIT Italy 33->45 47 5 other IPs or domains 33->47 57 Found direct / indirect Syscall (likely to bypass EDR) 33->57 signatures19
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-05-25 23:42:15 UTC
File Type:
Text (VBS)
AV detection:
18 of 38 (47.37%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5lapygiba5nal2dwkwvms2ftxbmvy5yxi42avvgmphklb45m3xnq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3b672a1db47d46f3a8d50d569b684697b7cb0e076050cac81f2bcdb36b3a72cd
Formbook
412fa4b7e3501663a221ed568464de11f33c95b760fb49d8ae3792862cd2d4e6
Formbook
59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2
Formbook
77e14caae3daf05c1f5a6a3d10e4936cc58944d6ae9ec6943b1be6d995e94b5c
Formbook
9f07c02b13a50bb84630841a7a9876c9ced2ab66d406c54f4673c88e7cd70bb4
Formbook
error
Formbook
f2840d65ddee6a875210f31349e18385cbc9bca229666fc822642b546077e210
Formbook
+ 132 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/241109-paay5stglr/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta eac0fc1901075a05e87655aac968b3b8595c771747340ad4cc79d4b0f3acdddb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3283570/
  
Delivery method
Distributed via web download

Comments