MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96
SHA3-384 hash: ac56ec2ad1fa13ee277fc7e4e36ca037f7cd54c71d43c2226eb9cf48b1564e0d06cf321793f72cbfb1fed1b83f4f4e10
SHA1 hash: 8656ecb53436dcb407d4810f1ac33aa002d3a7ea
MD5 hash: a4a8e466ee4cce669cc039637d626ec7
humanhash: fanta-apart-violet-table
File name:YKP_Project0021.hta
Download: download sample
Signature Formbook
Create hunting rule
File size:1'966 bytes
First seen:2025-04-08 07:11:22 UTC
Last seen:2025-04-08 10:29:01 UTC
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 24:hPgnw2dSATJFohXEub6B6OcY1jmAvbyyAm/MpRypwy7jpyMCO:tgwqSqAUubA6OcACAvuyx0rW9VCO
Threatray 122 similar samples on MalwareBazaar
TLSH T14F4123169809C6ACC17519AB99BBC411F2E402E3CA059C31318D983FAF723CF1ED2E4E
Magika vba
Reporter lowmal3
Tags:FormBook hta

Intelligence

File Origin
# of uploads :
3
# of downloads :
79
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.15967.16903.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4cd93e011fe619fad0b18
Tags:
obfuscate xtreme shell
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
GT:VB.SmlRvrHtSnd.1
Link:
https://www.hybrid-analysis.com/sample/fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1658998
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Legitimate Application Dropped Script
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Yara detected VBS Downloader Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658998 Sample: YKP_Project0021.hta Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 58 paste.ee 2->58 60 www.object-58974.shop 2->60 62 5 other IPs or domains 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for URL or domain 2->82 86 16 other signatures 2->86 13 mshta.exe 2 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 84 Connects to a pastebin service (likely for C&C) 58->84 process4 dnsIp5 54 C:\Windows\Temp\succours.bat, DOS 13->54 dropped 19 cmd.exe 2 13->19         started        56 127.0.0.1 unknown unknown 16->56 file6 process7 file8 52 C:\Windows\Temp\boughy.vbs, ASCII 19->52 dropped 90 Command shell drops VBS files 19->90 23 wscript.exe 14 19->23         started        27 conhost.exe 19->27         started        29 timeout.exe 1 19->29         started        signatures9 process10 dnsIp11 64 paste.ee 23.186.113.60, 443, 49712, 49716 KLAYER-GLOBALNL Reserved 23->64 92 System process connects to network (likely due to code injection or exploit) 23->92 94 Suspicious powershell command line found 23->94 96 Wscript starts Powershell (via cmd or directly) 23->96 98 2 other signatures 23->98 31 powershell.exe 15 14 23->31         started        signatures12 process13 dnsIp14 70 d2rf50u1p3jcpj.cloudfront.net 18.238.80.91, 443, 49713 AMAZON-02US United States 31->70 72 Writes to foreign memory regions 31->72 74 Suspicious execution chain found 31->74 76 Injects a PE file into a foreign processes 31->76 35 RegAsm.exe 31->35         started        38 conhost.exe 31->38         started        signatures15 process16 signatures17 88 Maps a DLL or memory area into another process 35->88 40 IrffgG54z.exe 35->40 injected process18 signatures19 100 Found direct / indirect Syscall (likely to bypass EDR) 40->100 43 dfrgui.exe 13 40->43         started        process20 signatures21 102 Tries to steal Mail credentials (via file / registry access) 43->102 104 Tries to harvest and steal browser information (history, passwords, etc) 43->104 106 Modifies the context of a thread in another process (thread injection) 43->106 108 3 other signatures 43->108 46 IrffgG54z.exe 43->46 injected 50 firefox.exe 43->50         started        process22 dnsIp23 66 www.novage.site 162.254.38.217, 49727, 49728, 49729 COGECO-PEER1CA United States 46->66 68 www.fix.shopping 13.248.169.48, 49726, 49731, 49732 AMAZON-02US United States 46->68 110 Found direct / indirect Syscall (likely to bypass EDR) 46->110 signatures24
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96/
Threat name:
Script-WScript.Trojan.Scarab
Create hunting rule
Status:
Malicious
First seen:
2025-04-08 07:06:09 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uyud4laypsxql3nftqgwehzbl2s3vbyqvrjlkjfqihobx7chkla._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0c25fdd6e72006a4896e82aef58f05e9177a07d75aeff4eeb85dd7138ffb52f6
Formbook
3da71626391cd7e012a6a4075a4463e56af3eeb383ea990bd3b745235ce1ce3a
Formbook
5b9a611f5ca531f0794cf9601360e1414c72079689ce107c2ebf4c5bb6fc5f8d
Formbook
7c0946cd8a228f35db68a9bd702e283a3ab9f41113bede7ed206e9af5f824c9e
Formbook
923b51a8e59ac5dc4db026988ec3f205f21cbb6590cd14b0e68b9cb0d8114ad7
Formbook
9690ebb923acd798749d7bc2d1cee17d7c1899cf696558e440ecd2482907fddc
Formbook
cbb80b28d18b74f2e7c7cc25613250d84aa207b0b717262477584b5619a5ca12
Formbook
de9dcf9f6ee4f1dd3a6ce3793a6da1e2393535e2ffb9dc8ad46972272a0b4ab1
Formbook
e7e78105c3946eb6ec2297a39ece3865c41f918d75d2a428ef53ef98ba0ad300
Formbook
error
Formbook
+ 112 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250408-h1mbjazvgy/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

HTML Application (hta) hta fd3141f160c3e5782f6d2ce06b10f90af52dd438856295a925820ee0dfe23a96

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments