MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7
SHA3-384 hash: 502a3980026c24275f260615f69347fec4b86d485535276c0e49b1b6ef3713ab25a9ad880612a2036269e806cf6bbe36
SHA1 hash: 7cdce2d9268039b378ad4aa43faa1b2f31824f2b
MD5 hash: eea263df06eedb62e8ef52449d443147
humanhash: victor-magazine-edward-cardinal
File name:Employee May performance report.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:22'080 bytes
First seen:2024-06-11 19:01:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:QphF0OupkJEIrWJIxrDhnbJ2JsEk2ZMPc6q:QphiOupkJRWJIxrlbQGElZMk6q
Threatray 4'235 similar samples on MalwareBazaar
TLSH T160A27DF4C8421F847F0F1BB640E97CE494B460B656303923B9CBA16A7D113D9ADE86DE
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject5.5642.32199.22631.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Script.SNH-gen.25310.14234.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6668a0cf5c0e232c1ff05100win7simulatehigh_evasion
Tags:
g e n e r i c k d
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/66689f350bf5978c0b0e65e0/reports/0d0a5ebf-e6b8-467b-8042-c55dca0739a3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1454452
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: Steal Google chrome login data
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1454452 Sample: Employee May performance re... Startdate: 10/06/2024 Architecture: WINDOWS Score: 100 63 shops.myshopify.com 2->63 65 cookygan.com 2->65 67 7 other IPs or domains 2->67 79 Snort IDS alert for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 11 other signatures 2->85 13 wscript.exe 1 2->13         started        17 rundll32.exe 2->17         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\Appelsinerne.txt, ASCII 13->59 dropped 111 VBScript performs obfuscated calls to suspicious functions 13->111 113 Suspicious powershell command line found 13->113 115 Wscript starts Powershell (via cmd or directly) 13->115 117 2 other signatures 13->117 19 powershell.exe 14 19 13->19         started        signatures6 process7 dnsIp8 69 drive.usercontent.google.com 142.250.186.161, 443, 49733, 49741 GOOGLEUS United States 19->69 71 drive.google.com 142.250.186.174, 443, 49732, 49740 GOOGLEUS United States 19->71 87 Suspicious powershell command line found 19->87 89 Very long command line found 19->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 19->91 23 powershell.exe 17 19->23         started        26 conhost.exe 19->26         started        28 cmd.exe 1 19->28         started        signatures9 process10 signatures11 99 Writes to foreign memory regions 23->99 101 Found suspicious powershell code related to unpacking or dynamic code loading 23->101 30 wab.exe 6 23->30         started        33 cmd.exe 1 23->33         started        process12 signatures13 119 Modifies the context of a thread in another process (thread injection) 30->119 121 Maps a DLL or memory area into another process 30->121 123 Sample uses process hollowing technique 30->123 125 2 other signatures 30->125 35 explorer.exe 46 12 30->35 injected process14 dnsIp15 73 cookygan.com 3.33.130.190, 49743, 49744, 80 AMAZONEXPANSIONGB United States 35->73 75 www.wjzjs.com 35.244.167.74, 49745, 49746, 80 GOOGLEUS United States 35->75 93 System process connects to network (likely due to code injection or exploit) 35->93 95 Searches for Windows Mail specific files 35->95 97 Uses ipconfig to lookup or modify the Windows network settings 35->97 39 ipconfig.exe 1 18 35->39         started        43 wab.exe 1 35->43         started        45 wab.exe 35->45         started        signatures16 process17 file18 55 C:\Users\user\AppData\...\J13logrv.ini, data 39->55 dropped 57 C:\Users\user\AppData\...\J13logri.ini, data 39->57 dropped 103 Detected FormBook malware 39->103 105 Tries to steal Mail credentials (via file / registry access) 39->105 107 Tries to harvest and steal browser information (history, passwords, etc) 39->107 109 6 other signatures 39->109 47 cmd.exe 2 39->47         started        51 firefox.exe 39->51         started        signatures19 process20 file21 61 C:\Users\user\AppData\Local\Temp\DB1, SQLite 47->61 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 47->77 53 conhost.exe 47->53         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7/
Threat name:
Script-WScript.Trojan.Guloader
Create hunting rule
Status:
Suspicious
First seen:
2024-06-11 19:02:09 UTC
File Type:
Text (VBS)
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lwdw2yxrfeopy67zdam32h7exjg2o2bi45kcobh5f4taljp2hg3q._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0eab8b2bd23f7d06734b61ba357c9fab1d97758eeb5afe2bd89fc293b88a8674
Formbook
247c8156cf06c5d9dec7d5fa0b158339110b556d41b0750bff34d36086554746
Formbook
71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639
Formbook
982a9a52e532bbfe52941c4ab95c2899c1af75e9a3eee2b1977e3f49e8a3e71e
Formbook
a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7
Formbook
a98c998bfd92e84cee4401dd2ca4f4a088043e33cc414ffb8d26f4af871e50bd
Formbook
ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
Formbook
ba23641f1dd061c48d00c9b4e8cb84c850119599e68e28aff55ae4ce900f54b5
Formbook
f20f47d3d6665d9f24bba7bab57b474b848bc0b7d814d88af27c02d34f7dd159
Formbook
+ 4'225 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:formbook family:guloader campaign:ty31 downloader execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240611-xpr5zaxgll/
Behaviour
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Adds policy Run key to start application
Blocklisted process makes network request
Formbook payload
Formbook
Guloader,Cloudeye
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5d876d62f1291cfc7bf91819bd1fe4ba4da76828e7542704fd2f2605a5fa39b7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments