MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fdd79b1b60575e0e10c37a7203f6c07ed57f17bbba740c2c592e2aa668963b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fdd79b1b60575e0e10c37a7203f6c07ed57f17bbba740c2c592e2aa668963b1
SHA3-384 hash: a85de5b1fae3141443a44dcb5b98d5fb1920cc2c52939ca9ac0313a8a492e8a1f2dbd050a515ce553d1268545cd25bd6
SHA1 hash: 71249ac1ab3ea2703c4f8d652ba6026e396481ae
MD5 hash: 3af21360adbb6bece7bda51390736e8e
humanhash: london-arkansas-pennsylvania-carpet
File name:55,000 receipt 18-03-2024 _PDF.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:453'764 bytes
First seen:2024-03-18 07:05:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 6144:xaKcKwvmmu4I3j0Bcz26Y6YAD0RX4ObivYiVrW60WKpVK2wo0QxnlZWzhAbsJrhI:Zw7uLcAYDX4ObinW60zItQ7ZqhAYzhG
Threatray 49 similar samples on MalwareBazaar
TLSH T19AA423B92DA9BDD7433AFCAF702A09531F04178F9A5AAD3D3184189312F2344EEBD519
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26270.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper masquerade obfuscated packed
Link:
https://www.filescan.io/uploads/65f7e7db5cd908a33db7a211/reports/afde2ddf-a00f-4a63-ad16-a5c245e85ace/overview
Verdict:
Suspicious
Labled as:
TrojanDropper/Agent.fg
Link:
https://www.hybrid-analysis.com/sample/4fdd79b1b60575e0e10c37a7203f6c07ed57f17bbba740c2c592e2aa668963b1
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1410616
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Benign windows process drops PE files
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Potential malicious VBS script found (has network functionality)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410616 Sample: 55,000 receipt 18-03-2024 _... Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 38 xiaoyue.zhuangkou.com 2->38 40 www.usebanq.com 2->40 42 6 other IPs or domains 2->42 52 Snort IDS alert for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Yara detected FormBook 2->56 58 4 other signatures 2->58 11 wscript.exe 2 2->11         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\...\payload.exe, PE32 11->36 dropped 62 Benign windows process drops PE files 11->62 64 VBScript performs obfuscated calls to suspicious functions 11->64 66 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->66 15 payload.exe 1 11->15         started        signatures6 process7 signatures8 76 Multi AV Scanner detection for dropped file 15->76 78 Machine Learning detection for dropped file 15->78 80 Writes to foreign memory regions 15->80 82 2 other signatures 15->82 18 CasPol.exe 15->18         started        21 CasPol.exe 15->21         started        23 CasPol.exe 15->23         started        process9 signatures10 50 Maps a DLL or memory area into another process 18->50 25 QACebkxpVnaLdNKvPcYdKLZsg.exe 18->25 injected process11 signatures12 60 Maps a DLL or memory area into another process 25->60 28 fc.exe 13 25->28         started        process13 signatures14 68 Tries to steal Mail credentials (via file / registry access) 28->68 70 Tries to harvest and steal browser information (history, passwords, etc) 28->70 72 Modifies the context of a thread in another process (thread injection) 28->72 74 2 other signatures 28->74 31 QACebkxpVnaLdNKvPcYdKLZsg.exe 28->31 injected 34 firefox.exe 28->34         started        process15 dnsIp16 44 xiaoyue.zhuangkou.com 47.76.88.64, 49714, 80 VODAFONE-TRANSIT-ASVodafoneNZLtdNZ United States 31->44 46 www.torikushitakasago.com 202.233.66.121, 49729, 49730, 49731 U-NETSURFUNIADEXLTDJP Japan 31->46 48 4 other IPs or domains 31->48
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4fdd79b1b60575e0e10c37a7203f6c07ed57f17bbba740c2c592e2aa668963b1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fdd79b1b60575e0e10c37a7203f6c07ed57f17bbba740c2c592e2aa668963b1/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-03-18 07:06:05 UTC
File Type:
Text (VBS)
AV detection:
8 of 23 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7oxtmnwav26byimg6tsap3ma7wvp4l3xotubqwfslrkuzujmoyq._file
Verdict:
malicious
Similar samples:
0c6464c591cc6b648fccfdc52a238eff7ffc2e1faebe7b62d9b93dc002fa47de
Formbook
3592d42bcd4e637e9f179e9a6a1ed0a7200bd3b5ee52f8c498eac7b837daa318
Formbook
8344c050d975fa230fac72dfd859f10d80db6750ac7a30899bd1b6814f8268fb
Formbook
9b1a04a9a7488c5c618d00ee10920203d5bb51cc2c3470aae460f7a971a44843
Formbook
afa51f3ed1e632fb81a829606a5fb23f6e4197b70d4c27f23a8ca6ccbaa0ddd7
Formbook
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240318-hw3sqabg3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fdd79b1b60575e0e10c37a7203f6c07ed57f17bbba740c2c592e2aa668963b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments