MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36768fc5b4ca50c19923c0b44a758997874c7e5245247b3f268a3840f31659ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36768fc5b4ca50c19923c0b44a758997874c7e5245247b3f268a3840f31659ee
SHA3-384 hash: 549d679d32d6dcfb952d99b14e41645ee13304545d565405245ce12118ea97f139cc265afa90e8728f40a1adada84d3c
SHA1 hash: 0b79907a3359a483b1f9ac6bf498c0db6e98617b
MD5 hash: 3b29adff89c38f40719a9916b4b33f44
humanhash: uncle-violet-seven-massachusetts
File name:LMZ05240257824426283637366563_Final Order.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:4'866 bytes
First seen:2024-04-06 07:27:32 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:whQnKJ47qjjytvIk9nlAJTfLQew02V6Jk4h0NoU0900/mA0Iyw00Z8Hyd40HqOjD:iQKr1iwaJ6GWae9s5iWQ28fmGZ2k7
TLSH T14CA13A1A53FA4504F6F39A4C993222780F377A6A693DD60C05EC2D5D1FF3A8098267B7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6610f98615f64ac5035240df/reports/0bffb67c-e816-4120-99a1-22af9915fb9d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/36768fc5b4ca50c19923c0b44a758997874c7e5245247b3f268a3840f31659ee
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421260
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Generic Downloader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421260 Sample: LMZ052402578244262836373665... Startdate: 06/04/2024 Architecture: WINDOWS Score: 100 40 www.evertudy.xyz 2->40 42 paste.ee 2->42 44 11 other IPs or domains 2->44 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 72 11 other signatures 2->72 12 wscript.exe 14 2->12         started        signatures3 68 Performs DNS queries to domains with low reputation 40->68 70 Connects to a pastebin service (likely for C&C) 42->70 process4 dnsIp5 56 paste.ee 172.67.187.200, 443, 49707 CLOUDFLARENETUS United States 12->56 86 System process connects to network (likely due to code injection or exploit) 12->86 88 VBScript performs obfuscated calls to suspicious functions 12->88 90 Suspicious powershell command line found 12->90 92 5 other signatures 12->92 16 powershell.exe 7 12->16         started        signatures6 process7 signatures8 58 Suspicious powershell command line found 16->58 60 Found suspicious powershell code related to unpacking or dynamic code loading 16->60 19 powershell.exe 14 15 16->19         started        23 conhost.exe 16->23         started        process9 dnsIp10 52 uploaddeimagens.com.br 172.67.215.45, 443, 49708, 49709 CLOUDFLARENETUS United States 19->52 54 cdn.discordapp.com 162.159.135.233, 443, 49710 CLOUDFLARENETUS United States 19->54 76 Writes to foreign memory regions 19->76 78 Injects a PE file into a foreign processes 19->78 25 MSBuild.exe 19->25         started        signatures11 process12 signatures13 80 Maps a DLL or memory area into another process 25->80 28 vUJrLlaaRaqfcbIHvkkdRQ.exe 25->28 injected process14 signatures15 82 Maps a DLL or memory area into another process 28->82 84 Found direct / indirect Syscall (likely to bypass EDR) 28->84 31 EhStorAuthn.exe 13 28->31         started        process16 signatures17 94 Tries to steal Mail credentials (via file / registry access) 31->94 96 Tries to harvest and steal browser information (history, passwords, etc) 31->96 98 Writes to foreign memory regions 31->98 100 3 other signatures 31->100 34 vUJrLlaaRaqfcbIHvkkdRQ.exe 31->34 injected 38 firefox.exe 31->38         started        process18 dnsIp19 46 www.evertudy.xyz 203.161.49.220, 49724, 49725, 49726 VNPT-AS-VNVNPTCorpVN Malaysia 34->46 48 3cubesinterior.in 45.113.122.18, 49718, 80 PUBLIC-DOMAIN-REGISTRYUS India 34->48 50 5 other IPs or domains 34->50 74 Found direct / indirect Syscall (likely to bypass EDR) 34->74 signatures20
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/36768fc5b4ca50c19923c0b44a758997874c7e5245247b3f268a3840f31659ee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36768fc5b4ca50c19923c0b44a758997874c7e5245247b3f268a3840f31659ee/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-04-04 10:44:21 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gz3i7rnuzjimdgjdyc2eu5mjs6duy7ssiushwpzgri4eb4ywlhxa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240406-janbksde31/
Behaviour
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36768fc5b4ca50c19923c0b44a758997874c7e5245247b3f268a3840f31659ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments