MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41
SHA3-384 hash: 32ebbbe01c374a585a4c95f86df8d9cfb726ad03388564dc2aaec0cf60743d84dd2eb00d74489dfdc26d5749ff1bcd27
SHA1 hash: 4459348367691099f9e13b59e94e2756dfbea3cc
MD5 hash: 5b1ee59d8d5c5343d00cded76df9fc70
humanhash: nitrogen-tennessee-london-football
File name:Purchase Order_222447UUB-xlx.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:677'937 bytes
First seen:2025-08-26 06:52:43 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:9MMn4dofSKOWH7KZq44lH7JZkhOk9E9h4yJlQpBskeNJtTySUa:94PZqNN37k9EH4yJCveNJVyta
TLSH T183E4F1308BD87F698B98550BE0BD161E5FB0438BD42675CEB763BD876FAED40060B189
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23565/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ad59fceb163e0ec182b9b8
Tags:
n/a
Verdict:
Malicious
Labled as:
GT:VB.ObfDldr.25
Link:
https://www.hybrid-analysis.com/sample/5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41
Result
Verdict:
MALICIOUS
Verdict:
Malicious
File Type:
text
First seen:
2025-08-25T23:58:00Z UTC
Last seen:
2025-08-25T23:58:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765161
Signature
Antivirus detection for dropped file
Benign windows process drops PE files
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Potential malicious VBS script found (has network functionality)
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765161 Sample: Purchase Order_222447UUB-xlx.vbs Startdate: 26/08/2025 Architecture: WINDOWS Score: 100 45 www.translateplatform.xyz 2->45 47 quadcorps.services 2->47 49 13 other IPs or domains 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Antivirus detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 67 7 other signatures 2->67 11 wscript.exe 6 3 2->11         started        signatures3 65 Performs DNS queries to domains with low reputation 45->65 process4 file5 39 C:\Users\user\AppData\Local\Temp\svchost.js, ASCII 11->39 dropped 41 C:\Users\user\AppData\Local\Temp\excel.xls, OpenDocument 11->41 dropped 77 Benign windows process drops PE files 11->77 79 VBScript performs obfuscated calls to suspicious functions 11->79 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->81 15 wscript.exe 1 2 11->15         started        18 EXCEL.EXE 121 53 11->18         started        signatures6 process7 dnsIp8 43 C:\Users\user\AppData\Local\Temp\dgYRf.exe, PE32 15->43 dropped 21 dgYRf.exe 15->21         started        51 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49717, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->51 24 splwow64.exe 1 18->24         started        file9 process10 signatures11 69 Antivirus detection for dropped file 21->69 71 Multi AV Scanner detection for dropped file 21->71 73 Maps a DLL or memory area into another process 21->73 26 WAjjMO3F.exe 21->26 injected process12 signatures13 75 Maps a DLL or memory area into another process 26->75 29 runonce.exe 13 26->29         started        32 poqexec.exe 26->32         started        process14 signatures15 83 Tries to steal Mail credentials (via file / registry access) 29->83 85 Tries to harvest and steal browser information (history, passwords, etc) 29->85 87 Modifies the context of a thread in another process (thread injection) 29->87 89 3 other signatures 29->89 34 XFDqqxCxW9.exe 29->34 injected 37 firefox.exe 29->37         started        process16 dnsIp17 53 quadcorps.services 15.197.225.128, 49727, 49728, 49729 TANDEMUS United States 34->53 55 www.dirtyductsdallas.info 74.208.236.138, 49723, 49724, 49725 ONEANDONE-ASBrauerstrasse48DE United States 34->55 57 2 other IPs or domains 34->57
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41
Verdict:
Malware
YARA:
2 match(es)
Tags:
ADODB.Stream APT APT38 DeObfuscated Lazarus Malicious Malicious Document Microsoft.XMLDOM Obfuscated RAT Scripting.FileSystemObject T1059.005 VBScript WScript.Shell
Link:
https://app.malva.re/file/5b1ee59d8d5c5343d00cded76df9fc70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 05:31:11 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lnvfkylwy4pdoy3pp3wncjzotwps7rjntzfwfezus4ampajfzjaq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
error
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250826-hn2wfsbq6w/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b6a556176c71e37636f7eecd1272e9d9f2fc52d9e4b6293349700c78125ca41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23565/

Comments