MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
SHA3-384 hash: dfecbe12788894359fa0832bbba0cb91a33496aafe9986f9efbf3dea86395dca0e97f6a1a54a47861eeea42972be8775
SHA1 hash: 0143999e3fbf5c1e2f3416937d2c94be01c95124
MD5 hash: 863fc344559496b5edac4af4a1ed9706
humanhash: quiet-comet-iowa-jersey
File name:863fc344559496b5edac4af4a1ed9706.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:1'294'887 bytes
First seen:2026-03-11 08:05:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:rGU4x40iTVmutLhQolaFeDEnGgaPr94H0vz346DZm:rGYXr9Jzo6tm
Threatray 28 similar samples on MalwareBazaar
TLSH T118550B1E237FE046D97BAB368AE620F0F57FB4BA119163D81BE705B14D8A2D9C353112
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57031/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b043b5e5dc8e2b2c3221a4
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated powershell
Link:
https://www.filescan.io/uploads/69b1227d97feb4afd67d9a61/reports/a5413a13-81fc-4ca8-a7e4-077dcb649ae5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1881700
Signature
Antivirus detection for URL or domain
Creates processes via WMI
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
Score:
5%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1/
Verdict:
Malicious
Threat:
Trojan.JS.SAgent
Link:
https://tip.neiki.dev/file/0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
Threat name:
Script-WScript.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2026-03-10 12:28:46 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzva3wtnkquriuvn5moxkfomr3nne4cya7k2anbtidhhciwo7cyq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
04f61412164731dda5c5efc5e6e9275f12f5ff174155dc415a4f86904f023d56
Formbook
07ca3c1f8d2a424f1873cf6eda6df16e69569aa98c5d152734668ea9d1f4c374
Formbook
19d1507a08193e55ebb5b873e23fa0fd1d54a29e413ccd51903d6f084556c1d3
Formbook
1dd20400a7bb38e2bc807c8bbe15fb719b3466be957bbd9b71f620f876916287
Formbook
4f5d1c5ad71e3be6754c31542735633c0be9224feae128e2bb4cec533e85c33e
Formbook
61c61e5c4d5caa801b3d6ee7ba915ce19793274d659fc6e2bb14076fc5fdcb59
Formbook
64d9f08a8e854b56fe3e3ccabe85e9c904f9aeb854b7459af4bc3b4930a69925
Formbook
b2f7cd8a8984266ccf8060b18823cdbe01a88f62b809b083b681028c0c11d793
Formbook
e83039c747aa9f67494b6685cf5b53ce9afd955d6f4b0355c85a224c5c2e3ce8
Formbook
error
Formbook
fedadf230b08a70fbe14c66d2ce63a455a72cb03c53e9dd9579a59a881561469
Formbook
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/260311-jzklzsg12w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57031/

Comments