MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e42521ebdf483191d3df6d436b4a0a6ff0da8b384c364dbbcb8981d1b74b6d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e42521ebdf483191d3df6d436b4a0a6ff0da8b384c364dbbcb8981d1b74b6d2
SHA3-384 hash: 0fe1f48b7a640a549715c91a70888f274da9c5586a90f347f75df3c6631ef20d524a35e80c0c30b109489e54085f7451
SHA1 hash: 3662ddfb56b981c127d78518a5586eb7a97ec09e
MD5 hash: 3e025262499991a41860b5abe632df75
humanhash: seventeen-massachusetts-bakerloo-mike
File name:Purchase Inquiry # 74713.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:13'616 bytes
First seen:2025-04-08 05:54:14 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:2lUyyyyyyyyyyyyyE3U2GfBN8mUhmWoEXOxz4lKYCI25tHqsXfUTMf5LqrMKzI7I:attgThLOY845JSlDhPmj7wxKGDIl
Threatray 4'993 similar samples on MalwareBazaar
TLSH T1F452F2429C49CBE00D5FF93D9C8B78296050A3279038EE9BFAE75C9D39FF819695448C
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1201/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4bb3ea695a0cd1fac85ea
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/67f4ba1c0eb02f7be13a40d4/reports/1668e007-9395-4207-b066-6cc542b8712a/overview
Verdict:
Malicious
Labled as:
VBS/Agent.SWW trojan
Link:
https://www.hybrid-analysis.com/sample/1e42521ebdf483191d3df6d436b4a0a6ff0da8b384c364dbbcb8981d1b74b6d2
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1658917
Signature
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: CMSTP Execution Process Creation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1658917 Sample: Purchase Inquiry # 74713.vbs Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 46 www.focusmentorn.pro 2->46 48 www.cameronreitsma.net 2->48 50 4 other IPs or domains 2->50 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 13 other signatures 2->68 13 wscript.exe 1 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 98 VBScript performs obfuscated calls to suspicious functions 13->98 100 Suspicious powershell command line found 13->100 102 Wscript starts Powershell (via cmd or directly) 13->102 104 2 other signatures 13->104 19 powershell.exe 7 13->19         started        44 127.0.0.1 unknown unknown 16->44 signatures6 process7 signatures8 70 Suspicious powershell command line found 19->70 72 Suspicious execution chain found 19->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 19->74 22 powershell.exe 14 24 19->22         started        26 conhost.exe 19->26         started        process9 dnsIp10 52 ofice365.github.io 185.199.108.153, 443, 49681 FASTLYUS Netherlands 22->52 54 s3-r-w.us-east-1.amazonaws.com 54.231.166.10, 443, 49692 AMAZON-02US United States 22->54 84 Writes to foreign memory regions 22->84 86 Injects a PE file into a foreign processes 22->86 88 Loading BitLocker PowerShell Module 22->88 28 RegAsm.exe 22->28         started        signatures11 process12 signatures13 90 Modifies the context of a thread in another process (thread injection) 28->90 92 Maps a DLL or memory area into another process 28->92 94 Sample uses process hollowing technique 28->94 96 4 other signatures 28->96 31 explorer.exe 22 1 28->31 injected process14 dnsIp15 56 www.focusmentorn.pro 51.222.43.200, 49695, 80 OVHFR France 31->56 58 www.251014.pink 162.218.31.108, 49694, 80 ANT-CLOUDUS United States 31->58 60 System process connects to network (likely due to code injection or exploit) 31->60 35 cmstp.exe 31->35         started        38 autofmt.exe 31->38         started        signatures16 process17 signatures18 76 Modifies the context of a thread in another process (thread injection) 35->76 78 Maps a DLL or memory area into another process 35->78 80 Tries to detect virtualization through RDTSC time measurements 35->80 82 Switches to a custom stack to bypass stack traces 35->82 40 cmd.exe 1 35->40         started        process19 process20 42 conhost.exe 40->42         started       
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1e42521ebdf483191d3df6d436b4a0a6ff0da8b384c364dbbcb8981d1b74b6d2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e42521ebdf483191d3df6d436b4a0a6ff0da8b384c364dbbcb8981d1b74b6d2/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-04-07 12:45:19 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzbfehv56sbrshj563kdnnfau37q3kftqtbwjw54xcmb2g3uw3ja._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
10883d2d817a21862f9068a7fbaae0d363e16e64d291a291925ba002e761eff6
Formbook
1c8de42bff76a20cdaee2bed7629f8f0dfcf4ab5c7b5ee637d147f6f45311015
Formbook
5bc4574dc91259c37e24e9fafd52c4798d2ac0b04bdce4ea1959b1c4a1bb1be1
Formbook
bbcaa127862b5b70b5a833b3136f431c03a9165dd0a4646ba78922ebcc7ebdc3
Formbook
cc3e1fee438ef0fe104afcc8ac66f930074302f67f1b99995b2d526575ddc098
Formbook
d6f3187ea8a4c0cb9e263a665487060b5b14caf184a5343b2ed928b67d16a264
Formbook
error
Formbook
fb950137c6cdd6106f6a642ffa4c8073c067b2cf8a057802415310cf24f6fc8a
Formbook
fd7a998d2f4db27ec6b0ec32459571e124128cf57ed9b8236374dc68519c8fa8
Formbook
fef0d0e16559f3c10c8a414b00433d165f132b4444ddc2a7033ab7a2e1bb7604
Formbook
+ 4'983 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:mtpi discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250408-gl5znaxrx8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e42521ebdf483191d3df6d436b4a0a6ff0da8b384c364dbbcb8981d1b74b6d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1201/

Comments