MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13
SHA3-384 hash: ccbe8d4b82f2ed0791f62dde77154dd4a3aee389e706b88c9dd74df2505b59307efb9c986e7072f3d1f7cda404bb70cb
SHA1 hash: 79d8317bcbf5be0bfe0292cd1bdee55b8b4f7bd5
MD5 hash: d108caa56d663b4b844f4c55f8def50d
humanhash: sodium-salami-spaghetti-video
File name:swift copy.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:16'787 bytes
First seen:2025-10-10 13:27:58 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:tIyQxKcwoOV2zGYxHIluc3S6yQLiuFMGv1EZ+t2Mt0Vp:tTQx1g8lEi6yDIMGtEt
Threatray 2'027 similar samples on MalwareBazaar
TLSH T18472233B965CEFF00F6F62E0119B3D012064932AA9369D7DA8D680547F27B514FA78EC
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32317/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e90a18777ae46bec410df1
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/68e90c4b9da6b44f3c8b1876/reports/6169c957-553a-49bc-81eb-c1003172e91b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-08T18:55:00Z UTC
Last seen:
2025-10-12T10:02:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.Generic HEUR:Trojan.Multi.Stego.gen PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic
Link:
https://opentip.kaspersky.com/528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792845
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1792845 Sample: swift copy.vbs Startdate: 10/10/2025 Architecture: WINDOWS Score: 100 32 www.sohbetson.xyz 2->32 34 www.ricardo-1240.xyz 2->34 36 13 other IPs or domains 2->36 52 Suricata IDS alerts for network traffic 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Antivirus detection for URL or domain 2->56 60 10 other signatures 2->60 11 wscript.exe 1 2->11         started        signatures3 58 Performs DNS queries to domains with low reputation 34->58 process4 signatures5 64 VBScript performs obfuscated calls to suspicious functions 11->64 66 Suspicious powershell command line found 11->66 68 Wscript starts Powershell (via cmd or directly) 11->68 70 2 other signatures 11->70 14 powershell.exe 14 17 11->14         started        process6 dnsIp7 44 192.177.111.233, 49694, 80 EGIHOSTINGUS United States 14->44 46 ybgctdtbzvgpdxjivafy.supabase.co 172.64.149.246, 443, 49693 CLOUDFLARENETUS United States 14->46 48 ngfkjfy.icu 172.67.135.6, 443, 49692 CLOUDFLARENETUS United States 14->48 80 Writes to foreign memory regions 14->80 82 Injects a PE file into a foreign processes 14->82 18 MSBuild.exe 14->18         started        21 conhost.exe 14->21         started        signatures8 process9 signatures10 50 Maps a DLL or memory area into another process 18->50 23 nOlW0HJwFcnP.exe 18->23 injected process11 dnsIp12 38 www.zeova.life 159.198.76.235, 49704, 49705, 49706 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT United States 23->38 40 www.vcimgq.mobi 154.218.66.154, 49699, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 23->40 42 2 other IPs or domains 23->42 62 Maps a DLL or memory area into another process 23->62 27 PATHPING.EXE 13 23->27         started        signatures13 process14 signatures15 72 Tries to steal Mail credentials (via file / registry access) 27->72 74 Tries to harvest and steal browser information (history, passwords, etc) 27->74 76 Modifies the context of a thread in another process (thread injection) 27->76 78 2 other signatures 27->78 30 firefox.exe 27->30         started        process16
Score:
75%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated T1059.005 VBScript
Link:
https://app.malva.re/file/d108caa56d663b4b844f4c55f8def50d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 22:59:04 UTC
File Type:
Text (VBS)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kkfddwl3u3k7k7cokaxkol7srhxiemzzdrlfpk7aofmmompzhmjq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
31067e4964e4e4c454217fd32a1e68221ae3f470be4faf28a85e48eaccf39162
Formbook
424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4
Formbook
463ca562519e38f05cdeb5f5fac541e86030de27a655486d8737c91399077c4a
Formbook
515261ba7c77ffd970a3bb7e09d3f54fc5184d72ee48082fd3ac145f004f6e6e
Formbook
617fe3238bc5fa85c7621a6aa1ff24322f64a10a4bfd2118a9307bc2189fbad3
Formbook
7343fde1eb7ed90af6b923297177ae109f2ff9b8e86cee4f5961cf619fad81f4
Formbook
9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
Formbook
9b8d42e1bfa06d35a1e433cf97eb75c7244cde1e46bc34858a87301143f5570c
Formbook
9ea3132e269bb19d4424f64b55907e533a39e4e4587932f37be3cbe2e0984d89
Formbook
b27f17a52b7a491a0887307a8e4984f283b8076c1e49d535863068c51758c8bc
Formbook
error
Formbook
+ 2'017 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251010-qw257acr4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32317/

Comments