MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
SHA3-384 hash: 4d7a346782622342e9ea60c993739ea55121bc4e0767b4c7e4e7efe899f38862b42bced219251e27b1baca4d9a8a977d
SHA1 hash: 2083ad5d3396b58d4edc29cbe73d7407d3187cc3
MD5 hash: f1bb23f681468bd0a06ad4aa45bd1706
humanhash: bluebird-magazine-angel-lemon
File name:commande.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:16'815 bytes
First seen:2025-10-15 11:46:00 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:tqSztrJbtcSokgXmXx6IFhPQmtLqknE8HLF+8Rt0Vp:tbRrJKMgIDLhlE8ra
Threatray 2'111 similar samples on MalwareBazaar
TLSH T15372233BA15CDFF00B7F22E1118B7D012065932AA9369D7D98DA8058BF277518F978EC
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
58
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32911/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ef89af04e22ce9acda62db
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/68ef8a173fe1a004456a17f9/reports/ee242359-ed16-466f-a3a6-92797fdbaba3/overview
Verdict:
Malicious
Labled as:
GT:VB.Heur2.ObfDldr.34
Link:
https://www.hybrid-analysis.com/sample/6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-15T02:51:00Z UTC
Last seen:
2025-10-17T04:30:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Multi.Stego.gen PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1795723
Signature
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1795723 Sample: commande.vbs Startdate: 15/10/2025 Architecture: WINDOWS Score: 100 51 www.ricardo-1240.xyz 2->51 53 www.zeova.life 2->53 55 5 other IPs or domains 2->55 71 Suricata IDS alerts for network traffic 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 79 10 other signatures 2->79 11 wscript.exe 1 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 77 Performs DNS queries to domains with low reputation 51->77 process4 dnsIp5 91 VBScript performs obfuscated calls to suspicious functions 11->91 93 Suspicious powershell command line found 11->93 95 Wscript starts Powershell (via cmd or directly) 11->95 97 2 other signatures 11->97 17 powershell.exe 14 17 11->17         started        63 127.0.0.1 unknown unknown 14->63 signatures6 process7 dnsIp8 45 192.177.111.233, 49702, 80 EGIHOSTINGUS United States 17->45 47 ybgctdtbzvgpdxjivafy.supabase.co 104.18.38.10, 443, 49701 CLOUDFLARENETUS United States 17->47 49 ngfkjfy.icu 172.67.135.6, 443, 49700 CLOUDFLARENETUS United States 17->49 65 Writes to foreign memory regions 17->65 67 Sample uses process hollowing technique 17->67 69 Injects a PE file into a foreign processes 17->69 21 MSBuild.exe 17->21         started        24 taskkill.exe 1 17->24         started        26 taskkill.exe 1 17->26         started        28 3 other processes 17->28 signatures9 process10 signatures11 81 Maps a DLL or memory area into another process 21->81 30 EqTxm7l8x.exe 21->30 injected 33 conhost.exe 24->33         started        35 conhost.exe 26->35         started        process12 signatures13 99 Maps a DLL or memory area into another process 30->99 37 PATHPING.EXE 13 30->37         started        process14 signatures15 83 Tries to steal Mail credentials (via file / registry access) 37->83 85 Tries to harvest and steal browser information (history, passwords, etc) 37->85 87 Modifies the context of a thread in another process (thread injection) 37->87 89 3 other signatures 37->89 40 3Sjo4B0DzwGQBR.exe 37->40 injected 43 firefox.exe 37->43         started        process16 dnsIp17 57 www.zeova.life 159.198.76.235, 49718, 49719, 49720 CAT-IDC-4BYTENET-AS-APCATTELECOMPublicCompanyLtdCATT United States 40->57 59 www.vcimgq.mobi 154.218.66.154, 49713, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 40->59 61 www.ricardo-1240.xyz 47.88.79.144, 49714, 49715, 49716 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 40->61
Score:
64%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated T1059.005 VBScript
Link:
https://app.malva.re/file/f1bb23f681468bd0a06ad4aa45bd1706
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2025-10-15 11:06:19 UTC
File Type:
Text (VBS)
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=moc3vfnc6f47vruixrksjsxl3uqn4l65hxn3yuytkh4nwglfmyga._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
3a90000f3e7765257eee7ef51199973e93b016d6a43b9271f441335dad4cda90
Formbook
424ae2948a4da9628f788e681957586c2d1e6ca1d4b615b8dd92a8930b5468d4
Formbook
515261ba7c77ffd970a3bb7e09d3f54fc5184d72ee48082fd3ac145f004f6e6e
Formbook
528a31d97ba6d5f57c4e502ea72ff289ee8233391c5657abe07158c731f93b13
Formbook
7e2f600443bbc2848ee277e188f5b7095d6c203d8e023a84224ba8dbb3532234
Formbook
833005a44107a2b32181f8a038fb7bc267df6648f0b94dc4a26cd295021b2cb7
Formbook
8c9fd9ea38c16b4b38039c60d03c499aff67451f6fcd00d56abd4c81a6f2c3c2
Formbook
9112615ba411d6052895da2d4a276289c21a36e2ae4ff93634d9d207f5e75427
Formbook
9b8d42e1bfa06d35a1e433cf97eb75c7244cde1e46bc34858a87301143f5570c
Formbook
error
Formbook
ffc8f79b6654ee83f5afac0fa12a5eeb666dc73b11d05c7fba51e7acab5928de
Formbook
+ 2'101 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook defense_evasion execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251015-nydjhay1hv/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32911/

Comments