MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5
SHA3-384 hash: 5fbdf4e85efddcb2e960ba7d020f49c2341fcb2cca9887454b2329172e8c7b7ff44900556753cd41b451976f6aa049f3
SHA1 hash: 5e1ab05439ca16fc5b35c644005eb63e2466908a
MD5 hash: 8841b659c9151d2196aa534b6c686eb0
humanhash: don-black-social-robin
File name:microsftgoodforenoughtogetstory.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:14'733 bytes
First seen:2025-03-20 10:02:27 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 96:+ONcBf2MONcif27mnUIxfUwsBSONcbONc9f2pONcC:Pw8xkmnHxcTRL+Td
Threatray 197 similar samples on MalwareBazaar
TLSH T1FE6233440CE7FE224B86D29594CF90D54DAF4B2B20792219F8AFA4BD47012E498DA59B
Magika html
Reporter abuse_ch
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dbe7f3115e7b48b48f118b
Tags:
autoit emotet
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5/results/dashboard
Payload URLs
URL
File name
http://172.245.123.24/131/casos.exe
HTA File
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67dbe7fdb93e688233f04f2e/reports/f1b7e997-a9bd-4e15-ae38-970ce372bc21/overview
Verdict:
Malicious
Labled as:
VBS.Asthma.2.C8827715
Link:
https://www.hybrid-analysis.com/sample/f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Cobalt Strike, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1644083
Signature
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Detected Cobalt Strike Beacon
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
PowerShell case anomaly found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected FormBook
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644083 Sample: microsftgoodforenoughtogets... Startdate: 20/03/2025 Architecture: WINDOWS Score: 100 62 www.zeniow.xyz 2->62 64 www.vaishnavi.xyz 2->64 66 17 other IPs or domains 2->66 76 Suricata IDS alerts for network traffic 2->76 78 Antivirus detection for URL or domain 2->78 80 Multi AV Scanner detection for dropped file 2->80 84 8 other signatures 2->84 13 mshta.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 82 Performs DNS queries to domains with low reputation 64->82 process4 dnsIp5 108 Suspicious command line found 13->108 110 PowerShell case anomaly found 13->110 19 cmd.exe 1 13->19         started        60 127.0.0.1 unknown unknown 16->60 signatures6 process7 signatures8 86 Detected Cobalt Strike Beacon 19->86 88 Suspicious powershell command line found 19->88 90 PowerShell case anomaly found 19->90 22 powershell.exe 45 19->22         started        27 conhost.exe 19->27         started        process9 dnsIp10 68 172.245.123.24, 49681, 80 AS-COLOCROSSINGUS United States 22->68 54 C:\Users\user\AppData\Roaming\casos.exe, PE32 22->54 dropped 56 C:\Users\user\AppData\Local\...\casos[1].exe, PE32 22->56 dropped 58 C:\Users\user\AppData\...\yuw1uylr.cmdline, Unicode 22->58 dropped 94 Loading BitLocker PowerShell Module 22->94 96 Powershell drops PE file 22->96 29 casos.exe 2 22->29         started        32 csc.exe 3 22->32         started        file11 signatures12 process13 file14 112 Multi AV Scanner detection for dropped file 29->112 114 Binary is likely a compiled AutoIt script file 29->114 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 29->116 118 3 other signatures 29->118 35 svchost.exe 29->35         started        52 C:\Users\user\AppData\Local\...\yuw1uylr.dll, PE32 32->52 dropped 38 cvtres.exe 1 32->38         started        signatures15 process16 signatures17 92 Maps a DLL or memory area into another process 35->92 40 mkOLuZMXU8Kuh.exe 35->40 injected process18 signatures19 98 Found direct / indirect Syscall (likely to bypass EDR) 40->98 43 calc.exe 13 40->43         started        process20 signatures21 100 Tries to steal Mail credentials (via file / registry access) 43->100 102 Tries to harvest and steal browser information (history, passwords, etc) 43->102 104 Modifies the context of a thread in another process (thread injection) 43->104 106 3 other signatures 43->106 46 mkOLuZMXU8Kuh.exe 43->46 injected 50 firefox.exe 43->50         started        process22 dnsIp23 70 shedsworld.shop 162.255.118.67, 49736, 49737, 49738 NAMECHEAP-NETUS United States 46->70 72 www.jplttj.info 47.83.1.90, 49722, 49723, 49724 VODANETInternationalIP-BackboneofVodafoneDE United States 46->72 74 7 other IPs or domains 46->74 120 Found direct / indirect Syscall (likely to bypass EDR) 46->120 signatures24
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5/
Threat name:
Script-WScript.Trojan.Asthma
Create hunting rule
Status:
Malicious
First seen:
2025-03-17 15:45:06 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hfmxur4pmygtyt76e73j6h26o4iie2cqx5rrrysydsvlstsutcq._file
Verdict:
malicious
Label(s):
unc_loader_036
Create hunting rule
Similar samples:
02a477ca33834ffa2d6e53066b98ac6f16f869c501eb8add6c51808ccf5d815b
Formbook
0cf82032506f68325f882f8cbdab76cda268a7807b8063a5b8a4fce94f963ff5
Formbook
1631a36156fa9b9c4f6079c5e8fb44f423f142fb92960ef55306ef9c1dad9c9f
Formbook
4962c3dba2f96f31a98e105eddc0e5e7a474a5368c6f851e86f91bf05654ab86
Formbook
5942293d4ed06c7427d43524f4226be05ead22d7cb55ec2373fcb482fab62c4b
Formbook
83e54a891cea0a57a09fd02ac887deb0db368d1f07a6d35e84bc59285201ef85
Formbook
ea62408c9bec28dd22e73ba292def6019dd2fc93dd1a1663fd15e5b4ce1ea09b
Formbook
error
Formbook
fe290aa1e7d15fe57535dc61d027008d209eea93d48656a2f0022e921d0419a3
Formbook
+ 187 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250320-l3hynszwbz/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Evasion via Device Credential Deployment
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

HTML Application (hta) hta f9cacbd23c7b3069e27ff13fb4f8faf3b884134285fb18c712c0e555ca72a4c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3483446/
  
Delivery method
Distributed via web download

Comments