MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d
SHA3-384 hash: 7558741216449f70d05d134d921c569b56e721965f6d48eda3cbc1ccfd4133d9d9172390c2a13675fa276103542f2259
SHA1 hash: 88a9a7abc8835d7f6a96b5d274ff5cf88ff682c2
MD5 hash: af652825a2501a10d3a531655368d480
humanhash: kentucky-music-lima-tennessee
File name:Order Specifications 10-12-25.vbe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'112'464 bytes
First seen:2025-12-10 08:49:26 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:application/octet-stream
ssdeep 12288:d8AIuNXMRfPY35aQnIGzEJ6+ejBNmnDpDI9kdfZxXxSVomMGNY9G27xvzubm:TXCktE0HJiSgGk2m
TLSH T18FA5A05D84B1ACD2A054FEB4F685FFD78CDB5385162B07520FE4858A3312C83FAA72A5
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter cocaman
Tags:FormBook vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
CH CH
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6939345bbde6a3e5970fbb72
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/693934551eac7b9b76a355ad/reports/338264ef-c25e-4e47-aa7e-273a5baccab1/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TEM trojan
Link:
https://www.hybrid-analysis.com/sample/0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d
Verdict:
Malicious
File Type:
vbe
First seen:
2025-12-10T01:32:00Z UTC
Last seen:
2025-12-12T07:21:00Z UTC
Hits:
~1000
Detections:
Trojan-Downloader.JS.SLoad.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.VBS.Agent.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830101
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830101 Sample: Order Specifications 10-12-25.vbe Startdate: 10/12/2025 Architecture: WINDOWS Score: 100 67 www.braenta.xyz 2->67 69 www.altcointape.xyz 2->69 71 14 other IPs or domains 2->71 85 Suricata IDS alerts for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 93 10 other signatures 2->93 12 wscript.exe 8 2 2->12         started        16 wscript.exe 1 2->16         started        signatures3 91 Performs DNS queries to domains with low reputation 69->91 process4 file5 65 C:\Users\user\AppData\...\UBTYURVQmTVptAR.vbs, ASCII 12->65 dropped 103 Suspicious powershell command line found 12->103 105 Wscript starts Powershell (via cmd or directly) 12->105 107 Windows Shell Script Host drops VBS files 12->107 109 4 other signatures 12->109 18 powershell.exe 11 12->18         started        21 WmiPrvSE.exe 294 12->21         started        23 powershell.exe 11 16->23         started        25 powershell.exe 16->25         started        27 powershell.exe 16->27         started        29 5 other processes 16->29 signatures6 process7 signatures8 79 Writes to foreign memory regions 18->79 81 Injects a PE file into a foreign processes 18->81 31 MSBuild.exe 18->31         started        34 conhost.exe 18->34         started        36 conhost.exe 23->36         started        38 MSBuild.exe 23->38         started        40 conhost.exe 25->40         started        42 MSBuild.exe 25->42         started        44 conhost.exe 27->44         started        46 MSBuild.exe 27->46         started        48 10 other processes 29->48 process9 signatures10 111 Maps a DLL or memory area into another process 31->111 113 Unusual module load detection (module proxying) 31->113 50 T9CeIvoAbZF.exe 31->50 injected process11 signatures12 83 Maps a DLL or memory area into another process 50->83 53 makecab.exe 13 50->53         started        process13 signatures14 95 Tries to steal Mail credentials (via file / registry access) 53->95 97 Tries to harvest and steal browser information (history, passwords, etc) 53->97 99 Modifies the context of a thread in another process (thread injection) 53->99 101 4 other signatures 53->101 56 dGyhiUEsC.exe 53->56 injected 59 chrome.exe 53->59         started        61 firefox.exe 53->61         started        process15 dnsIp16 73 kgabosafaris.co.za 156.38.195.74, 49724, 80 xneeloZA South Africa 56->73 75 growntlab.com 177.234.153.21, 49739, 49740, 49741 LEVEL3US Brazil 56->75 77 4 other IPs or domains 56->77 63 WerFault.exe 59->63         started        process17
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated T1059.005 VBScript VBScript Encoded
Link:
https://app.malva.re/file/af652825a2501a10d3a531655368d480
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d
Threat name:
Script.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2025-12-10 07:08:07 UTC
File Type:
Binary
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bldu5l7omjxl5sado3vrha3vevlsuuxajtkzloq2kao4ubqgzogq._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251210-krs4tswphk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ac74eafee62/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

rar cb9b29844f69bbb116dca8b6cf826cfa67a37a26026dab16d97360a1f0cce729

Formbook

Visual Basic Script (vbe) vbe 0ac74eafee626ebec80376eb13837525572a52e04cd595ba1a501dca0606cb8d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 cb9b29844f69bbb116dca8b6cf826cfa67a37a26026dab16d97360a1f0cce729
  
Dropped by
MD5 6a9f7f3048336a2a808e8cc071bb99ff

Comments