MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4
SHA3-384 hash: 563fd0c6a6fe108b22cc42dcd1cfd9bcbb6b3a0ddac5fbcdc2a9f8530ef84077e8c4dc2912ed5213f36cc8927137f727
SHA1 hash: 997e5606c8803427c4b1b5faa78ca9861d6ebb48
MD5 hash: ddff62407b14f7f5d043c9e9caa1ee85
humanhash: king-johnny-delaware-nebraska
File name:Paydetails.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:16'071 bytes
First seen:2025-09-16 08:07:58 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:f9wUYcHzqljHyQaPxAgDKT8N4hwXulbnLL+:fKUfOljSPjJ+euq
Threatray 1'150 similar samples on MalwareBazaar
TLSH T1DA721E7DA548DFF00B1A22F011CB7D176064D322A935DE7DA8E6C1B87F226518FA50ED
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27702/
Detection(s):
SecuriteInfo.com.Heur.17539.5296.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Heur.19301.14805.UNOFFICIAL
Create hunting rule

TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c91b0ed49ea3f1e4b657c0
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Labled as:
VBS/Agent.TGD trojan
Link:
https://www.hybrid-analysis.com/sample/424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-15T22:06:00Z UTC
Last seen:
2025-09-15T22:06:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778320
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1778320 Sample: Paydetails.vbs Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 48 www.smartuniformvina.xyz 2->48 50 www.fastgpt.xyz 2->50 52 7 other IPs or domains 2->52 60 Suricata IDS alerts for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 68 10 other signatures 2->68 12 wscript.exe 1 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 66 Performs DNS queries to domains with low reputation 50->66 process4 dnsIp5 78 VBScript performs obfuscated calls to suspicious functions 12->78 80 Suspicious powershell command line found 12->80 82 Wscript starts Powershell (via cmd or directly) 12->82 84 2 other signatures 12->84 18 powershell.exe 14 15 12->18         started        58 127.0.0.1 unknown unknown 15->58 signatures6 process7 dnsIp8 54 ihmmkvkaiwnilneauhfn.supabase.co 104.18.38.10, 443, 49681 CLOUDFLARENETUS United States 18->54 56 bitbucket.org 104.192.142.25, 443, 49684 AMAZON-AESUS United States 18->56 70 Writes to foreign memory regions 18->70 72 Injects a PE file into a foreign processes 18->72 22 MSBuild.exe 18->22         started        25 conhost.exe 18->25         started        signatures9 process10 signatures11 74 Maps a DLL or memory area into another process 22->74 27 viOgGgSYGd.exe 22->27 injected process12 signatures13 76 Maps a DLL or memory area into another process 27->76 30 expand.exe 13 27->30         started        process14 signatures15 86 Tries to steal Mail credentials (via file / registry access) 30->86 88 Tries to harvest and steal browser information (history, passwords, etc) 30->88 90 Modifies the context of a thread in another process (thread injection) 30->90 92 3 other signatures 30->92 33 7drhiEG6BSCvy.exe 30->33 injected 36 chrome.exe 30->36         started        38 firefox.exe 30->38         started        process16 dnsIp17 42 www.catspro.xyz 166.117.110.61, 49697, 49698, 49699 NSWPOLSERV-AS-APNewSouthWalesPoliceAU United States 33->42 44 www.yqyqyiqian.top 154.23.185.239, 49693, 49694, 49695 COGENT-174US United States 33->44 46 3 other IPs or domains 33->46 40 WerFault.exe 4 36->40         started        process18
Score:
88%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4
Verdict:
Malware
YARA:
1 match(es)
Tags:
Scripting.Dictionary Scripting.FileSystemObject VBScript WScript.Network
Link:
https://app.malva.re/file/ddff62407b14f7f5d043c9e9caa1ee85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 07:56:06 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ijfoffekjwuwfd3yrzubsv2ynqwr43fb2s3blog5skujgc2undka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ec78936cfd600f8f7b64b4d58bf9ea1fb2586c96e0e2fefa938c758712b24d1
Formbook
81b5aa53fb0d1d9e99a1444276172d115c6c9de90954ab02f6e29beeeda51a37
Formbook
8c0cd5bdae1355f8bc7f7af9102fb77eb8b52e432cdbe17c27456be4af1082ab
Formbook
8c9fd9ea38c16b4b38039c60d03c499aff67451f6fcd00d56abd4c81a6f2c3c2
Formbook
a4e1ceb8458e0bca4119adb33ded5b1ef154f0ba69594b2079fbbcfb48cbe4ce
Formbook
d6db45310338efda0778f101ea3378831370913796f5971fd861d9f2c3f49ef0
Formbook
decdb74ebd6bcdf8e64941b717e7830a401490f3d37437cc2110afcbc64d6606
Formbook
error
Formbook
f7752fa3cc9f5fcdfc5f0346401907e77494ac55c6c133ee115986cd723ee164
Formbook
fe6b659e6a6d19470cf5cfb5dfef263d22119463a6d084c31006c24c0045bd72
Formbook
+ 1'140 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution rat spyware stealer trojan
Link:
https://tria.ge/reports/250916-kbqc1aszfv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Badlisted process makes network request
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27702/

Comments