MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7
SHA3-384 hash: 545e3eedf890d1451ca3a2e877a56ad8ff9e90a35537198f2465d4792994af98d15d4410e1e7ab00777b44b5cbab5235
SHA1 hash: 7ec6f09e48de75cfbb13ef1fb7c590a4e993b9c4
MD5 hash: f285655515152a3faf133b8c3c204bcb
humanhash: single-diet-fix-emma
File name:blsedengineringgoodforbetterwakingperofromance.vbe
Download: download sample
Signature Formbook
Create hunting rule
File size:130'783 bytes
First seen:2025-05-27 14:48:19 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 192:kFj4AHHAxwAnAHRASdAtAHpASMA4AAIA+AAfiHpAxyAtAAkASEAoiHkASUAnwHLf:wjjKunWzd6AXluCT3BlT
Threatray 35 similar samples on MalwareBazaar
TLSH T11FD359A1121FAE70C01257F78C1579A8C5A01E55C5DFAFCCE0AB10C67A4D3EAB2593E7
Magika vba
Reporter skocherhan
Tags:107-172-132-32 FormBook vbe


Avatar
skocherhan
http://107.172.132.32/590/blsedengineringgoodforbetterwakingperofromance.vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.28795.23695.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6835d2c6668438e362e7723d
Tags:
n/a
Verdict:
Malicious
Labled as:
HEUR_Trojan_Script_Generic
Link:
https://www.hybrid-analysis.com/sample/4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1699913
Signature
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1699913 Sample: blsedengineringgoodforbette... Startdate: 27/05/2025 Architecture: WINDOWS Score: 100 45 www.mebuceiop.xyz 2->45 47 www.logicalcomputer.xyz 2->47 49 17 other IPs or domains 2->49 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for submitted file 2->75 79 8 other signatures 2->79 11 wscript.exe 1 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 77 Performs DNS queries to domains with low reputation 47->77 process4 dnsIp5 83 Suspicious powershell command line found 11->83 85 Wscript starts Powershell (via cmd or directly) 11->85 87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->87 89 Suspicious execution chain found 11->89 17 powershell.exe 14 15 11->17         started        57 127.0.0.1 unknown unknown 14->57 signatures6 process7 dnsIp8 41 208.89.61.141, 49686, 80 AXCELX-NETUS United States 17->41 43 107.172.132.32, 49687, 80 AS-COLOCROSSINGUS United States 17->43 67 Writes to foreign memory regions 17->67 69 Injects a PE file into a foreign processes 17->69 21 aspnet_compiler.exe 17->21         started        24 WMIADAP.exe 7 10 17->24         started        26 conhost.exe 17->26         started        28 aspnet_compiler.exe 17->28         started        signatures9 process10 signatures11 81 Maps a DLL or memory area into another process 21->81 30 Bk8yLnmz9gjJ.exe 21->30 injected process12 signatures13 91 Maps a DLL or memory area into another process 30->91 33 control.exe 13 30->33         started        process14 signatures15 59 Tries to steal Mail credentials (via file / registry access) 33->59 61 Tries to harvest and steal browser information (history, passwords, etc) 33->61 63 Modifies the context of a thread in another process (thread injection) 33->63 65 3 other signatures 33->65 36 yKwI7pHG.exe 33->36 injected 39 firefox.exe 33->39         started        process16 dnsIp17 51 www.mebuceiop.xyz 103.106.67.112, 49701, 49702, 49703 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 36->51 53 www.g24yz.top 23.248.239.134, 49733, 49734, 49735 CNSERVERSUS United States 36->53 55 8 other IPs or domains 36->55
Score:
77%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7/
Threat name:
Script-WScript.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-21 20:59:15 UTC
File Type:
Binary
AV detection:
5 of 37 (13.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5nwhwibc4vvktbwolsc5btid5ssn7rcbsacu4kthiolgsbjf23q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
1954852d49e10ab60251b4d441456bde537c7f349297c2c9c972aaf6cd9f5065
Formbook
23f9fe7816885cdc1fa4082870eb0eb6804df4dc15cafb0cb4c301bc7bebe5ea
Formbook
25d96cd43fe35d1ab7dd8be793a2b54595876ba8514ab273efe59a345afaae14
Formbook
55021119b7a7a05fea8b2141242d77bf417462a9a55c7ebcf8a01fda46072602
Formbook
6d76eb3bddde98330c44eaad153adab619c41faa8fda8f32802b6d8046188618
Formbook
6e7b45cff195d3b5234ecb0d64022233bb382524960fee75316ffeb3c87ad102
Formbook
7065de23872ea88872ebf6d50dbd886cbc441c75b72fbac5f1fa632bd46006c2
Formbook
9568e856bd7e2469908c9ee8dfc816f94662dd9643e34c6ec6d3153656e82247
Formbook
error
Formbook
f2b4df24dff10c2c28917bea92e9fb7c752f26e0ed60bb5753584b7dff328162
Formbook
fd55dac59db1d3b1537ed0668b0dabaaa1cc6b178ef5c8cb758b7290f7e34030
Formbook
+ 25 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250527-r9dkeswlv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8a490ff6f629907b3f5e293283e2b96d

Formbook

Visual Basic Script (vbe) vbe 4f5b63d901172b554c3672e42e86681f6526fe220c802a71533a1cb348292eb7

(this sample)

  
Dropped by
MD5 8a490ff6f629907b3f5e293283e2b96d

Comments