MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610
SHA3-384 hash: 50830b855c36620475175c14236f3c54612e7d4c37babe76f75ebb33297b7e54338f49ebe4c9c3eeaf9c6057d93088c4
SHA1 hash: 09e1a94da18602ec942599f434e0fb7d6095bf0b
MD5 hash: 84779d9ba89ca404bf98af3ffb490f6c
humanhash: kansas-muppet-east-nuts
File name:DINNNN.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:5'977'940 bytes
First seen:2025-10-07 18:34:37 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:LVEgFjE5Vw+yyFmmmmmmmmmmmmmLEoB4U+8W:LVEgFjE5Vw+yyYEoa
Threatray 1'781 similar samples on MalwareBazaar
TLSH T1FA5667AFD6E52A6CF8500024FA37AC300747F871EABF91EB20AB9CFD27591095A51375
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/31024/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e55dbf277c2bd8bc5d892b
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/68e55ddc5a3bccf09ebbf0e2/reports/53d2e338-eb1f-467c-9003-f5708ee7889d/overview
Verdict:
Malicious
Labled as:
GT:VB.Honolulu.1
Link:
https://www.hybrid-analysis.com/sample/3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610
Verdict:
Malicious
File Type:
unknown
First seen:
2025-10-06T17:56:00Z UTC
Last seen:
2025-10-08T11:01:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1790875
Signature
.NET source code contains potential unpacker
AI detected malicious Powershell script
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected FormBook
Yara detected Generic Downloader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1790875 Sample: DINNNN.vbs Startdate: 07/10/2025 Architecture: WINDOWS Score: 100 97 pastebin.com 2->97 99 zxuyj111-1.32b2yjhrzxe8.com 2->99 101 13 other IPs or domains 2->101 115 Suricata IDS alerts for network traffic 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for URL or domain 2->119 123 18 other signatures 2->123 13 wscript.exe 1 2->13         started        16 powershell.exe 2->16         started        18 powershell.exe 2->18         started        20 2 other processes 2->20 signatures3 121 Connects to a pastebin service (likely for C&C) 97->121 process4 dnsIp5 153 Suspicious powershell command line found 13->153 155 Wscript starts Powershell (via cmd or directly) 13->155 157 Uses schtasks.exe or at.exe to add and modify task schedules 13->157 161 2 other signatures 13->161 23 powershell.exe 7 13->23         started        26 schtasks.exe 1 13->26         started        28 schtasks.exe 1 13->28         started        30 wscript.exe 16->30         started        32 conhost.exe 16->32         started        34 wscript.exe 18->34         started        36 conhost.exe 18->36         started        103 127.0.0.1 unknown unknown 20->103 159 Wscript called in batch mode (surpress errors) 20->159 38 conhost.exe 20->38         started        40 wscript.exe 20->40         started        signatures6 process7 signatures8 139 Suspicious powershell command line found 23->139 141 Encrypted powershell cmdline option found 23->141 143 Bypasses PowerShell execution policy 23->143 147 2 other signatures 23->147 42 powershell.exe 14 18 23->42         started        46 conhost.exe 23->46         started        48 conhost.exe 26->48         started        50 conhost.exe 28->50         started        145 Wscript starts Powershell (via cmd or directly) 30->145 52 powershell.exe 30->52         started        55 powershell.exe 34->55         started        process9 dnsIp10 111 pastebin.com 104.20.29.150, 443, 49692, 49694 CLOUDFLARENETUS United States 42->111 113 dpaste.org 172.66.152.175, 443, 49693, 49695 CLOUDFLARENETUS United States 42->113 95 C:\Users\user\AppData\Local\Temp\nAvER.ps1, Unicode 42->95 dropped 57 powershell.exe 15 42->57         started        133 Wscript called in batch mode (surpress errors) 52->133 61 conhost.exe 52->61         started        63 wscript.exe 52->63         started        65 conhost.exe 55->65         started        67 wscript.exe 55->67         started        file11 signatures12 process13 file14 91 __________________...________-------.lnk, MS 57->91 dropped 93 C:\Users\user\AppData\Local\Temp\xx2.vbs, ASCII 57->93 dropped 149 Writes to foreign memory regions 57->149 151 Injects a PE file into a foreign processes 57->151 69 MSBuild.exe 57->69         started        72 powershell.exe 23 57->72         started        74 powershell.exe 11 57->74         started        76 powershell.exe 57->76         started        signatures15 process16 signatures17 135 Maps a DLL or memory area into another process 69->135 78 CiX0Dm6Qh0FV.exe 69->78 injected 137 Loading BitLocker PowerShell Module 72->137 81 powershell.exe 1 11 72->81         started        process18 signatures19 163 Maps a DLL or memory area into another process 78->163 83 fsutil.exe 13 78->83         started        165 Creates autostart registry keys with suspicious values (likely registry only malware) 81->165 167 Creates autostart registry keys with suspicious names 81->167 process20 signatures21 125 Tries to steal Mail credentials (via file / registry access) 83->125 127 Tries to harvest and steal browser information (history, passwords, etc) 83->127 129 Modifies the context of a thread in another process (thread injection) 83->129 131 3 other signatures 83->131 86 nAMUddXVPg.exe 83->86 injected 89 firefox.exe 83->89         started        process22 dnsIp23 105 zxuyj111-1.32b2yjhrzxe8.com 172.247.188.51, 49707, 49708, 49709 POWERLINE-AS-APPOWERLINEDATACENTERHK United States 86->105 107 natroredirect.natrocdn.com 85.159.66.93, 49704, 80 CIZGITR Turkey 86->107 109 lifequant.net 3.33.130.190, 80 AMAZONEXPANSIONGB United States 86->109
Score:
97%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610/
Verdict:
Malicious
Threat:
Trojan.Script
Link:
https://tip.neiki.dev/file/3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610
Threat name:
Win32.Trojan.Honolulu
Create hunting rule
Status:
Malicious
First seen:
2025-10-07 00:18:36 UTC
File Type:
Binary
AV detection:
8 of 37 (21.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hyp7s7mtg37jdn5jygctk54wdnbsultrsqrdraclfjkgdgticyia._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
2b2813d971b9a081db71183c0687b4a80b423a1228617b13a13f1baaa6ba9158
Formbook
3d488c7e2ce30c599303d4fc4bdc43692f80cc7e5e6feb1993197d97503f7dc3
Formbook
5ee4fc645fa88cd85eddc57b9fc28733a891d0bb84a648a560264b983b9c5488
Formbook
5fcfd8333c4687790ed53e4783d8b2ac2d082059f7f1b14e92dd24e41e831740
Formbook
611800d260a261ca41759e9c79312cdabe2529bc8fe362f296b348c5fa1a5c09
Formbook
b486ec0314eabf1bd79a42201829893561d949978e264bcaec545ba7f1b25f10
Formbook
c8eb86820e2bb79b01f13912d9dc05afe153c0eb4465aa6ccdcb4bff68b2c343
Formbook
ea710abc03bb6f1d7bb3045bfbbf6450e49fbaea858df1fef7563d525d708c0c
Formbook
error
Formbook
f4a2ff30755f15ff9c9e1ea5fdabd00f3c2755bb9d28829390833b07fc1cdce1
Formbook
fb16330c871833981f73ada3203538f6549a62be87150af3ba00536029ccc63b
Formbook
+ 1'771 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence
Link:
https://tria.ge/reports/251007-w9jtnagn6z/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Hide Artifacts: Hidden Window
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://pastebin.com/raw/jgKWLc0S
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31024/

Comments