MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36
SHA3-384 hash: 2084d8ed50ce59461b6b044deda45249ec1a8246c67399e52756f39e6e8214913b31feab4a42020e924d897629c50b5a
SHA1 hash: dddd6e905fc5d63c79f4c58b47f1333ada7939e5
MD5 hash: 479fe21d1995faa9e2f152dfae09e949
humanhash: pizza-lion-alaska-mango
File name:479fe21d1995faa9e2f152dfae09e949.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:1'316'012 bytes
First seen:2024-11-14 08:13:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:g8w532GoFtmNqTbMQsbLSDHr1lrYYWpB/BRwVccG/xkI2W/Y73TBw77:sUGcsbenYYWZsWcG/sTNC7
TLSH T14C55E052FF563F4C3C61C2E1282FBA459DCDADFB02B4EAE9D03E32152981991055FA39
Magika vba
Reporter JAMESWT_WT
Tags:AgidCert FormBook Spam-ITA vbs www-vasehu-xyz

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.4244.11128.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6735b19734b6906b3482b258
Tags:
agenttesla infosteal
Verdict:
Malicious
Labled as:
GT:VB.AgentTesla.4
Link:
https://www.hybrid-analysis.com/sample/4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1554308
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Potential evasive VBS script found (sleep loop)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1554308 Sample: 0CkEHZjZgO.vbs Startdate: 12/11/2024 Architecture: WINDOWS Score: 100 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Yara detected FormBook 2->52 54 6 other signatures 2->54 10 wscript.exe 2 2->10         started        process3 file4 36 C:\Users\user\AppData\...\temp_file_rhjRS.exe, PE32 10->36 dropped 68 Benign windows process drops PE files 10->68 70 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->70 72 Suspicious execution chain found 10->72 14 temp_file_rhjRS.exe 2 10->14         started        signatures5 process6 signatures7 78 Antivirus detection for dropped file 14->78 80 Machine Learning detection for dropped file 14->80 82 Writes to foreign memory regions 14->82 84 2 other signatures 14->84 17 RegAsm.exe 14->17         started        process8 signatures9 46 Maps a DLL or memory area into another process 17->46 20 LHXJJggpVplOZ.exe 17->20 injected process10 signatures11 56 Maps a DLL or memory area into another process 20->56 58 Found direct / indirect Syscall (likely to bypass EDR) 20->58 23 gpupdate.exe 1 20 20->23         started        process12 dnsIp13 38 www.sqlite.org 45.33.6.223, 49166, 80 LINODE-APLinodeLLCUS United States 23->38 34 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 23->34 dropped 60 Tries to steal Mail credentials (via file / registry access) 23->60 62 Tries to harvest and steal browser information (history, passwords, etc) 23->62 64 Maps a DLL or memory area into another process 23->64 66 Queues an APC in another process (thread injection) 23->66 28 LHXJJggpVplOZ.exe 23->28 injected 32 firefox.exe 23->32         started        file14 signatures15 process16 dnsIp17 40 www.vasehub.xyz 28->40 42 myjiorooms.services 15.197.148.33, 49167, 49168, 49169 TANDEMUS United States 28->42 44 3 other IPs or domains 28->44 74 Found direct / indirect Syscall (likely to bypass EDR) 28->74 signatures18 76 Performs DNS queries to domains with low reputation 40->76
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-11-12 13:14:51 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkivjynmz26aa4ayq2wctkbos45lxp2bihwjwsxv6uc5dng2by3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/241114-j4zlpsweql/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4a9154e1acce/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a9154e1accebc00701886ac29a82e973abbbf4141ec9b4af5f505d1b4da0e36

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments