MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b00eb5193d6583e02b9a0b900db5e696da561cf8d368ede6e257c7aa6cb7643. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b00eb5193d6583e02b9a0b900db5e696da561cf8d368ede6e257c7aa6cb7643
SHA3-384 hash: c95f51d4a48b498c001ba808ad818224fda10218e7bb10a1cf0496fd824f312ecb286a1d3186a5201d59df0b5ec974bb
SHA1 hash: ccda57b593d5735166dd19425a07c06caa5bad60
MD5 hash: 0a3543a36a0db35b71e0c7275036a636
humanhash: west-foxtrot-mississippi-beryllium
File name:RFQ-Ref.No. 07-03-2022.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:2'865 bytes
First seen:2022-03-08 12:36:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:kKMxszFNmTVxa7NIm8wfIMLhLFMYkSIo/e/HLNG0QkgqqFL6jsDy80BdO:aeNmTKxIm8kIsLFj0o/e/HpA8qRLbr
Threatray 13'980 similar samples on MalwareBazaar
TLSH T1F051559A3007A57420263EF1EC1B449E96B15743B2BCA851794CC3E6CFB605CE78394E
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
176
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248244/
Detection(s):
SecuriteInfo.com.VBS.Siggen.8064.17232.18570.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/622799b9dfdfa8501c7b6f86/reports/aa06b755-2b09-4f49-9211-359c6a3ab121/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/952564
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
DLL side loading technique detected
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585046 Sample: RFQ-Ref.No. 07-03-2022.vbs Startdate: 08/03/2022 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 5 other signatures 2->70 9 wscript.exe 14 2->9         started        13 wscript.exe 2->13         started        15 wscript.exe 13 2->15         started        process3 dnsIp4 60 ozelfanteziiplik.com 78.142.29.185, 49733, 49737, 49742 VERDINABZ Bulgaria 9->60 82 System process connects to network (likely due to code injection or exploit) 9->82 84 Wscript starts Powershell (via cmd or directly) 9->84 86 Very long command line found 9->86 88 2 other signatures 9->88 17 powershell.exe 14 21 9->17         started        22 cmd.exe 3 9->22         started        24 powershell.exe 13->24         started        62 192.168.2.1 unknown unknown 15->62 26 powershell.exe 15->26         started        signatures5 process6 dnsIp7 54 ozelfanteziiplik.com 17->54 48 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 17->48 dropped 72 Writes to foreign memory regions 17->72 74 DLL side loading technique detected 17->74 76 Injects a PE file into a foreign processes 17->76 78 Powershell drops PE file 17->78 28 RegAsm.exe 17->28         started        31 conhost.exe 17->31         started        50 RFQ-Ref.No. 07-03-...vbs:Zone.Identifier, ASCII 22->50 dropped 52 C:\Users\user\...\RFQ-Ref.No. 07-03-2022.vbs, ASCII 22->52 dropped 80 Command shell drops VBS files 22->80 33 conhost.exe 22->33         started        56 ozelfanteziiplik.com 24->56 35 RegAsm.exe 24->35         started        37 conhost.exe 24->37         started        58 ozelfanteziiplik.com 26->58 39 RegAsm.exe 26->39         started        41 conhost.exe 26->41         started        file8 signatures9 process10 signatures11 90 Modifies the context of a thread in another process (thread injection) 28->90 92 Maps a DLL or memory area into another process 28->92 94 Sample uses process hollowing technique 28->94 96 2 other signatures 28->96 43 explorer.exe 28->43 injected process12 process13 45 svchost.exe 43->45         started        signatures14 98 Tries to detect virtualization through RDTSC time measurements 45->98
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6b00eb5193d6583e02b9a0b900db5e696da561cf8d368ede6e257c7aa6cb7643/
Threat name:
Script-WScript.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2022-03-08 12:37:10 UTC
File Type:
Text (VBS)
AV detection:
11 of 27 (40.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmaowumt2zmd4avzuc4qbw26nfw2kyopru3i5xtoev6hvjwlozbq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0adfc99fefcb09f082e85f53025764a8ea4b0f35a4140540022be9de71bb58e9
Formbook
0da36b7f7e4b44b640ab5769532fdd7599032ca2b1d6b57807ba48ad1fa76780
Formbook
108238536ab90b12dd6a5c654a1ddd27c2994b2d3fc39f87fc5f5e4847c1ec34
Formbook
190845482673ae60d3df5d77f593e736e1e91a3bc5870e0d8057ac70c73e02ea
Formbook
2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Formbook
487abe718971e8c9415793ffe0c162a4843aeeb5d4667981bb0be983f7710f4e
Formbook
739e1b5141f5f7e7dd005161eb735a6ac51a9a4caec90fb5eeb264b79efb8b80
Formbook
d3fae1feacb2e75560f838099213ae33385d6a0a11caa222a4f09024721e2720
Formbook
d6b928a4292c14dee552691c4955bdff07d038470ec1419c88a4018fb06bd399
Formbook
+ 13'970 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:s32s loader rat
Link:
https://tria.ge/reports/220308-pthhbsegg7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Xloader Payload
Xloader
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6b00eb5193d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b00eb5193d6583e02b9a0b900db5e696da561cf8d368ede6e257c7aa6cb7643

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Visual Basic Script (vbs) vbs 6b00eb5193d6583e02b9a0b900db5e696da561cf8d368ede6e257c7aa6cb7643

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/248244/

Comments