MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 427b0a2956a20378043342535ddf6fda911ae9522ac2b46a67bfa4a4c60cab8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 427b0a2956a20378043342535ddf6fda911ae9522ac2b46a67bfa4a4c60cab8e
SHA3-384 hash: 6a32a1c4d897ac71977a480f8ccfae083bf370653aba4eedf192180fd3b208a2756472334a530ebecb5ab8986ed947a4
SHA1 hash: 39e1dac422e0d6ed350eb1f0d950194f66ace46a
MD5 hash: 7290d7a412f22735588fbc8d2206dfff
humanhash: muppet-bakerloo-apart-earth
File name:TNT Invoice 09004105_pdf.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:4'950 bytes
First seen:2024-04-06 07:28:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:KJF8fIyGZ2k9QqcGnDc3pZtdZMDqK+eB8rio9xsRrCStQqJ:CiQ12kZc3tw29xs99
TLSH T141A1485653FA4500B2F39A4C983666680F7B7A6A693D861C04EC2C1D1FF3B849C367B7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:FormBook TNT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/6610f9c2d463a7b047824b77/reports/5ba7e262-cb9b-433b-9578-f6537a6a5676/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/427b0a2956a20378043342535ddf6fda911ae9522ac2b46a67bfa4a4c60cab8e
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1421265
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1421265 Sample: TNT Invoice 09004105_pdf.vbs Startdate: 06/04/2024 Architecture: WINDOWS Score: 100 48 paste.ee 2->48 50 www.rhyme.academy 2->50 52 11 other IPs or domains 2->52 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 12 other signatures 2->78 12 wscript.exe 14 2->12         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 76 Connects to a pastebin service (likely for C&C) 48->76 process4 dnsIp5 64 paste.ee 104.21.84.67, 443, 49730 CLOUDFLARENETUS United States 12->64 102 System process connects to network (likely due to code injection or exploit) 12->102 104 VBScript performs obfuscated calls to suspicious functions 12->104 106 Suspicious powershell command line found 12->106 110 4 other signatures 12->110 20 powershell.exe 7 12->20         started        108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->108 signatures6 process7 signatures8 80 Suspicious powershell command line found 20->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 20->82 23 powershell.exe 15 16 20->23         started        27 conhost.exe 20->27         started        process9 dnsIp10 54 uploaddeimagens.com.br 172.67.215.45, 443, 49731, 49732 CLOUDFLARENETUS United States 23->54 56 fanconom.shop 185.61.152.60, 443, 49733 NAMECHEAP-NETUS United Kingdom 23->56 92 Suspicious powershell command line found 23->92 94 Creates autostart registry keys with suspicious values (likely registry only malware) 23->94 96 Writes to foreign memory regions 23->96 98 Injects a PE file into a foreign processes 23->98 29 MSBuild.exe 23->29         started        32 powershell.exe 12 23->32         started        signatures11 process12 signatures13 112 Maps a DLL or memory area into another process 29->112 34 mXlYyhqTEXIWkMJjFSvMowKFU.exe 29->34 injected 37 conhost.exe 32->37         started        process14 signatures15 66 Maps a DLL or memory area into another process 34->66 68 Found direct / indirect Syscall (likely to bypass EDR) 34->68 39 SyncHost.exe 13 34->39         started        process16 signatures17 84 Tries to steal Mail credentials (via file / registry access) 39->84 86 Tries to harvest and steal browser information (history, passwords, etc) 39->86 88 Modifies the context of a thread in another process (thread injection) 39->88 90 2 other signatures 39->90 42 mXlYyhqTEXIWkMJjFSvMowKFU.exe 39->42 injected 46 firefox.exe 39->46         started        process18 dnsIp19 58 www.rhyme.academy 216.40.34.41, 49740, 80 TUCOWSCA Canada 42->58 60 bnbuotqakx.shop 101.99.93.157, 49746, 49747, 49748 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 42->60 62 2 other IPs or domains 42->62 100 Found direct / indirect Syscall (likely to bypass EDR) 42->100 signatures20
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/427b0a2956a20378043342535ddf6fda911ae9522ac2b46a67bfa4a4c60cab8e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/427b0a2956a20378043342535ddf6fda911ae9522ac2b46a67bfa4a4c60cab8e/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-04-05 03:41:36 UTC
File Type:
Text (VBS)
AV detection:
8 of 37 (21.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ij5qukkwuibxqbbtijjv3x3p3kirv2ksflbli2thx6skjrqmvoha._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/240406-ja8yaade5x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/427b0a2956a20378043342535ddf6fda911ae9522ac2b46a67bfa4a4c60cab8e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments