MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb
SHA3-384 hash:	d9c84e19283cfcb74b8ca8219aa45fbfaba1af8bcefabb1198dd498bd0fdf7d864f46deddd0c65badde654bbbf9c96a1
SHA1 hash:	16b256dca7e77ffd40b882716efb55e2f7ea2a37
MD5 hash:	7e9d69b6f2d881dd6fd34f9de9a22cf9
humanhash:	blue-may-failed-potato
File name:	ADA MED ADTIP REF 704405 ANTREPO DEVİR 04,06,2026 .js
Download:	download sample
Signature	Formbook Create hunting rule
File size:	36'368 bytes
First seen:	2026-06-05 08:33:53 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	384:zjDP4pocNUwWFF0aaMbUfArVmFSAwyWaYPcDhD11IBStj+lI2Lof7Wm9SVrlf0Vs:3zcoEUwu8VohS5tj00x9STf0VZO
TLSH	T1A9F253893BCDF1E14626B46B3F2BB496F12F4C81724C4484F36970C8F9B8718C9766A9
Magika	javascript
Reporter	abuse_ch
Tags:	FormBook js

Intelligence

File Origin

# of uploads :

# of downloads :

131

Origin country :

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

94.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a228a17f8676ad4d3615616

Tags:

shellcode vmdetect shell spawn

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

evasive obfuscated repaired

Link:

https://www.filescan.io/uploads/6a228a1012da0d249c65ef15/reports/a42ccb3f-8b98-498b-845e-00e43134796f/overview

Verdict:

Malicious

Labled as:

TrojanDownloader/JS.Agent

Link:

https://www.hybrid-analysis.com/sample/f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb

Verdict:

Malicious

File Type:

First seen:

2026-06-05T04:37:00Z UTC

Last seen:

2026-06-07T06:09:00Z UTC

Hits:

~1000

Detections:

Trojan.Win32.Agent.sb Trojan.PowerShell.Cobalt.sb Trojan.JS.SAgent.sb Trojan-Downloader.Agent.HTTP.C&C HEUR:Trojan.Script.Generic Trojan-PSW.Fareit.HTTP.ServerRequest PDM:Trojan.Win32.Generic Trojan-Downloader.JS.SLoad.sb HEUR:Trojan-Downloader.Script.Generic

Link:

https://opentip.kaspersky.com/f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1923509

Signature

Antivirus detection for URL or domain

Found potential dummy code loops (likely to delay analysis)

JavaScript source code contains functionality to generate code involving a shell, file or stream

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Multi AV Scanner detection for submitted file

Potential obfuscated javascript found

Sigma detected: WScript or CScript Dropper

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb/

Verdict:

Malicious

Threat:

Family.FORMBOOK

Link:

https://tip.neiki.dev/file/f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb

Threat name:

Script-JS.Trojan.DarkCloud

Status:

Malicious

First seen:

2026-06-05 08:04:59 UTC

File Type:

Text (JavaScript)

AV detection:

12 of 38 (31.58%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6s7c5jnptjj36tyldhcp7x33iv4gsg4qdbu5y5rvwftqus3qxpnq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook adware collection discovery execution rat spyware stealer trojan

Link:

https://tria.ge/reports/260605-kgk1gady5l/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

Command and Scripting Interpreter: JavaScript

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

System Location Discovery: System Language Discovery

ConfuserEx .NET packer

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Badlisted process makes network request

Family: Formbook

Formbook payload

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f4be2ea5af9a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f4be2ea5af9a53bf4f0b19c4ffdf7b4578691b901869dc7635b1670a4b70bbdb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample