MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335
SHA3-384 hash:	c2a7776920b1f9e850b3a14f596693a6e84bdccd2f8c1ca4736030e5cde6b97e0022e6ae86303fe6053a0daa4bc56a8a
SHA1 hash:	0d137883d7649e42280ff5627c963ed6980fbc28
MD5 hash:	02e9f898eb325df9d19a770186fdf0ef
humanhash:	lactose-tennis-carbon-kitten
File name:	Import Duty and Tax Invoices - GlobalDHLDocuments.js
Download:	download sample
Signature	Formbook Create hunting rule
File size:	1'053'920 bytes
First seen:	2025-12-02 11:46:18 UTC
Last seen:	Never
File type:	js
MIME type:	text/plain
ssdeep	24:t9srsS/kqlIxg4L8gd9sCLcAzHnCJseJseJseJseJseJseJseJseJseJseJseJsV:lT33K47
Threatray	2'261 similar samples on MalwareBazaar
TLSH	T1A7250380C78CD145462A330C9EE4A714F6A7481FE742634C3E247DE66F2985AC335DAB
Magika	javascript
Reporter	lowmal3
Tags:	FormBook js

Intelligence

File Origin

# of uploads :

1

# of downloads :

111

Origin country :

DE

Vendor Threat Intelligence

No detections

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=692ed1e3264b106bd645f90f

Tags:

obfuscate xtreme shell

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 fingerprint masquerade obfuscated obfuscated powershell repaired

Link:

https://www.filescan.io/uploads/692ed1c24c1198e16ff10c4d/reports/e944255c-8cb8-45f0-a5ce-0d5b0a610fd3/overview

Verdict:

Malicious

Labled as:

SVM:TrojanDownloader/JS.MalBehav.gen

Link:

https://www.hybrid-analysis.com/sample/f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335

Verdict:

Malicious

File Type:

text

First seen:

2025-12-02T04:39:00Z UTC

Last seen:

2025-12-04T10:19:00Z UTC

Hits:

~1000

Detections:

Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.SLoad.gen HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.SAgent.gen HEUR:Trojan.Script.Generic Trojan-Downloader.JS.SLoad.sb

Link:

https://opentip.kaspersky.com/f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335/results?tab=lookup

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1824324

Signature

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for submitted file

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

System process connects to network (likely due to code injection or exploit)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Generic JS Downloader

Behaviour

Behavior Graph:

Score:

1%

Verdict:

Benign

File Type:

SCRIPT

Link:

https://malprob.io/report/f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335

Verdict:

inconclusive

YARA:

1 match(es)

Link:

https://app.malva.re/file/02e9f898eb325df9d19a770186fdf0ef

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335/

Verdict:

Malicious

Threat:

Trojan-Downloader.JS.SLoad

Link:

https://tip.neiki.dev/file/f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335

Threat name:

Script-JS.Backdoor.njRAT

Status:

Malicious

First seen:

2025-12-02 11:32:14 UTC

File Type:

Text (JavaScript)

AV detection:

8 of 24 (33.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7fbq43372szlmiidz35wozwoasyh4g7htmso47g2xe2lsezyqm2q._file

Verdict:

malicious

Label(s):

formbook

Similar samples:

0f5a1d94343f393dbe063e997238d20a5367f96465003bc181d8814bbcd7ba6c

2cb24bafbd5728a17a8a8d07a555061ad58a81a25ce3dc090c5d3ca4c8a77349

37885dcfeb80c2b05f10cea621f603e64e8530b67ec2180d4d2b1e52ae38d6ae

44d76c2813cbcbbc38602cf85005884c492f6eb76fbdac3e8279633d75fc5a0d

691a1adb4046eb79e2ce90e73aad82ae817aeed98139a0a852ebb9aa2aed8541

bf85c808d84f3d1b83c812aaa7362b79b460f3d040ef9848a5df9d407b38b17d

d80fc0f436dea324b185283251e6dde0fcf7962a6da88af686733ee95c010cac

fbe9cbd20b1447fbc3005d50bd5b969b509266cab8b1fe3cf385506815d650aa

+ 2'251 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

execution

Link:

https://tria.ge/reports/251202-nxy4taer8x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Command and Scripting Interpreter: JavaScript

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Process spawned unexpected child process

Malware Config

Dropper Extraction:

https://bvaco.com/js/panel/uploads/optimized_MSI.png

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

js f9430e6f7fd4b2b62103cefb6766ce04b07e1be79b24ee7cdab934b913388335

(this sample)

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample