MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340
SHA3-384 hash: 8e6a1cfe6683733285cd9060e084029039c43db7f277392ab6263d4434e85735a864e79b4afcbf63347a726b4c2c6211
SHA1 hash: 55dc22f4e1f6e49e023803bb5a7a697bfca4c339
MD5 hash: d7c6d928034e29edc3e9c0c2ee8933b8
humanhash: zulu-juliet-missouri-missouri
File name:Absa Proof of Payment.vbe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'061'264 bytes
First seen:2025-12-10 05:40:27 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:application/octet-stream
ssdeep 12288:t0ld6398GBCF9CIadzgVQ5KOChBpW3TcaRtFThYbrwBOS2Os4gvuZ/D5P7IoMgRD:sQ39PGmdmEwpScUThFm+Z/l
TLSH T1B895A25D84B1ACD3A054FEB4F685FFD78C9B5385162B07421FE4858A3312C83FAA72A5
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:FormBook vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69390808bde6a3e5970fac01
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/693907fecf690d27f3da9c27/reports/9a546e73-3c14-43db-b791-a490c303e8b7/overview
Verdict:
Malicious
Labled as:
VBS/Agent.TEM trojan
Link:
https://www.hybrid-analysis.com/sample/51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340
Verdict:
Malicious
File Type:
vbe
First seen:
2025-12-09T20:18:00Z UTC
Last seen:
2025-12-12T03:27:00Z UTC
Hits:
~1000
Detections:
HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.VBS.Agent.gen HEUR:Trojan.Script.Generic Trojan-Downloader.JS.SLoad.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb Trojan.JS.SAgent.sb
Link:
https://opentip.kaspersky.com/51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1830020
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1830020 Sample: Absa Proof of Payment.vbe Startdate: 10/12/2025 Architecture: WINDOWS Score: 100 71 www.taviyo.xyz 2->71 73 www.crmportalmail.xyz 2->73 75 26 other IPs or domains 2->75 89 Malicious sample detected (through community Yara rule) 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 Yara detected FormBook 2->93 97 8 other signatures 2->97 12 wscript.exe 1 2->12         started        15 wscript.exe 8 2 2->15         started        signatures3 95 Performs DNS queries to domains with low reputation 73->95 process4 file5 107 Suspicious powershell command line found 12->107 109 Wscript starts Powershell (via cmd or directly) 12->109 18 powershell.exe 12->18         started        21 powershell.exe 12->21         started        23 powershell.exe 12->23         started        29 15 other processes 12->29 69 C:\Users\user\AppData\...\gJLgMBCDLnmnvZC.vbs, ASCII 15->69 dropped 111 Windows Shell Script Host drops VBS files 15->111 113 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->113 115 Suspicious execution chain found 15->115 117 2 other signatures 15->117 25 powershell.exe 11 15->25         started        27 WmiPrvSE.exe 282 15->27         started        signatures6 process7 signatures8 31 MSBuild.exe 18->31         started        34 conhost.exe 18->34         started        36 conhost.exe 21->36         started        38 MSBuild.exe 21->38         started        40 conhost.exe 23->40         started        42 MSBuild.exe 23->42         started        83 Writes to foreign memory regions 25->83 85 Injects a PE file into a foreign processes 25->85 44 MSBuild.exe 25->44         started        46 conhost.exe 25->46         started        48 29 other processes 29->48 process9 signatures10 50 wnhLHUyQQqt01T.exe 31->50 injected 119 Maps a DLL or memory area into another process 44->119 121 Unusual module load detection (module proxying) 44->121 53 l8CNUiTeAdd.exe 44->53 injected process11 signatures12 55 fixmapi.exe 50->55         started        87 Maps a DLL or memory area into another process 53->87 57 fixmapi.exe 13 53->57         started        process13 signatures14 99 Tries to steal Mail credentials (via file / registry access) 57->99 101 Tries to harvest and steal browser information (history, passwords, etc) 57->101 103 Modifies the context of a thread in another process (thread injection) 57->103 105 4 other signatures 57->105 60 iCkojKyeO.exe 57->60 injected 63 chrome.exe 57->63         started        65 firefox.exe 57->65         started        process15 dnsIp16 77 www.taviyo.xyz 203.161.58.88, 49706, 49707, 49708 VNPT-AS-VNVNPTCorpVN Malaysia 60->77 79 www.57439887.xyz 96.47.166.117, 49692, 80 ATTIS-ASN4185US United States 60->79 81 11 other IPs or domains 60->81 67 WerFault.exe 63->67         started        process17
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated T1059.005 VBScript VBScript Encoded WScript.Shell
Link:
https://app.malva.re/file/d7c6d928034e29edc3e9c0c2ee8933b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.SLoad
Link:
https://tip.neiki.dev/file/51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340
Threat name:
Script.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-10 02:45:08 UTC
File Type:
Binary
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgrky4bu4uob2mye77wdih7ytmcactjzh7i773quuuibbyz7unaa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251210-gdmhcavkb1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51a2ac7034e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/51a2ac7034e51c1d3304ffec341ff89b04014d393fd1ffee14a51010e33fa340

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments