MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b
SHA3-384 hash: ea30d2a34446fd57caeb43891c3bc739791f6a53008c7d41e412c45268f9467a60da840d4ccfccaeea0dc1d9b9d52446
SHA1 hash: 6319e3152e5f07bcfb682c5ab750f8683fa14187
MD5 hash: b8c28d9f8c266c6537ec6c0037d609a2
humanhash: angel-juliet-xray-lamp
File name:devil.vbe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'127'282 bytes
First seen:2024-08-10 07:50:35 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:text/plain
ssdeep 24576:5McHHksJ3iZnMKt8L1ULohK21zrIvFLNPzCbXZ5d:usDMZ+WQk9xCbR
Threatray 1'663 similar samples on MalwareBazaar
TLSH T1FA356833DA8A07C9076759BD47241EE2F58BDD9ED366C59B8AEB3D3272E01A00C71B14
Reporter abuse_ch
Tags:FormBook vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.24852.18769.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66b71bf1aa5b40be0a9ff127
Tags:
Discovery Execution Generic Infostealer Network Stealth Trojan
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/66b71bf0e565ee98cf3e4dcd/reports/6668d744-ca42-47af-8bc9-d4d889156dfa/overview
Verdict:
Malicious
Labled as:
TrojanDropper/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b
Result
Verdict:
MALICIOUS
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1490965
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Benign windows process drops PE files
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected AgentTesla
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1490965 Sample: devil.vbe Startdate: 10/08/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 42 evdanco.ru 2->42 44 api.ipify.org 2->44 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 8 other signatures 2->74 8 wscript.exe 2 2->8         started        12 VsUPptm.exe 3 2->12         started        14 VsUPptm.exe 2->14         started        signatures3 process4 file5 36 C:\Users\user\AppData\Local\Temp\HHhHh.exe, PE32 8->36 dropped 76 Benign windows process drops PE files 8->76 78 Windows Scripting host queries suspicious COM object (likely to drop second stage) 8->78 16 HHhHh.exe 3 8->16         started        80 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->80 82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->82 84 Machine Learning detection for dropped file 12->84 19 VsUPptm.exe 14 2 12->19         started        21 conhost.exe 12->21         started        86 Injects a PE file into a foreign processes 14->86 23 VsUPptm.exe 14->23         started        signatures6 process7 signatures8 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 16->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->54 56 Machine Learning detection for dropped file 16->56 64 2 other signatures 16->64 25 HHhHh.exe 16 4 16->25         started        30 HHhHh.exe 16->30         started        32 HHhHh.exe 16->32         started        34 HHhHh.exe 16->34         started        58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->58 60 Tries to steal Mail credentials (via file / registry access) 23->60 62 Tries to harvest and steal ftp login credentials 23->62 66 2 other signatures 23->66 process9 dnsIp10 46 ip-api.com 208.95.112.1, 49709, 49719, 49723 TUT-ASUS United States 25->46 48 evdanco.ru 80.96.42.133, 49711, 49714, 49720 RCS-RDS73-75DrStaicoviciRO Romania 25->48 50 api.ipify.org 104.26.12.205, 443, 49708, 49718 CLOUDFLARENETUS United States 25->50 38 C:\Users\user\AppData\Roaming\...\VsUPptm.exe, PE32 25->38 dropped 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->88 90 Tries to steal Mail credentials (via file / registry access) 25->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->92 94 Installs a global keyboard hook 25->94 file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b/
Threat name:
Script-WScript.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2024-08-10 07:51:14 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpbi5uiopqpzmgeipcfimh7kpxxfbwujzrrpcspavabxp3nghi5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3c4a62274eaf166916621a82f252b2dcdbde0fb6b477682943ef60128f0a82c3
Formbook
63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b
Formbook
7adc48b32358c405fdb502f2b868288b3757940b2b54e0b6787b1a7a242b3579
Formbook
a7c2b459805c50ca9c86290e12bdeafbf35f75727d20a8975002d71f4a951259
Formbook
a86f818dee5adfc18c4b4c5e547e5f51afd5eaf6f1208d2c9869018c4d1ddbc3
Formbook
+ 1'653 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla credential_access discovery execution keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240810-jpvdfa1drq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/63c28ed10e7c1f961888788a861fea7dee50da89cc62f149e0a80377eda63a3b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments