MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce
SHA3-384 hash: be7c2b572c9597e0a441bb24b56b104e2ca7984f05221fa2c5935be781ff55427889969d33180c6139b3daa2b7c583c6
SHA1 hash: 929ff0ae29253c94aaf205ddb95f71679421bdab
MD5 hash: 64f0c325d2d8ce1e889a3ea02708718b
humanhash: equal-kilo-xray-lithium
File name:COTIZACIÓN__.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:5'978'796 bytes
First seen:2025-10-16 07:20:01 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:oYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY1YYYYYYYYYYYYYYYYYYYYYYYYs:yVEwFjEwVwm5hnQmmmmmmmmmmmmm7
Threatray 2'125 similar samples on MalwareBazaar
TLSH T1B15612BDD1863430EC5ED4A0E79ADA3107CD9325379F5CA81AE2C6BA06D250F46BC3D2
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33022/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f09cc904e22ce9acdab5b2
Tags:
autorun dropper shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 obfuscated powershell
Link:
https://www.filescan.io/uploads/68f09d0664833d0cfabe470b/reports/a862d388-4560-4041-a446-7e1febf428cf/overview
Verdict:
Malicious
Labled as:
GT:VB.Honolulu.1
Link:
https://www.hybrid-analysis.com/sample/6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce
Verdict:
Malicious
File Type:
unknown
First seen:
2025-10-15T17:54:00Z UTC
Last seen:
2025-10-17T16:23:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796305
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Process Parents
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Generic Downloader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796305 Sample: COTIZACI#U00d3N__.vbs Startdate: 16/10/2025 Architecture: WINDOWS Score: 100 58 www.wontagents.xyz 2->58 60 pastebin.com 2->60 62 bg.microsoft.map.fastly.net 2->62 76 Suricata IDS alerts for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Yara detected FormBook 2->80 86 12 other signatures 2->86 14 wscript.exe 3 2->14         started        signatures3 82 Performs DNS queries to domains with low reputation 58->82 84 Connects to a pastebin service (likely for C&C) 60->84 process4 file5 56 C:\Users\user\...\COTIZACI#U00d3N__.vbs, Unicode 14->56 dropped 104 Suspicious powershell command line found 14->104 106 Wscript starts Powershell (via cmd or directly) 14->106 108 Windows Shell Script Host drops VBS files 14->108 110 3 other signatures 14->110 18 powershell.exe 7 14->18         started        21 schtasks.exe 1 14->21         started        23 schtasks.exe 1 14->23         started        signatures6 process7 signatures8 68 Suspicious powershell command line found 18->68 70 Encrypted powershell cmdline option found 18->70 72 Bypasses PowerShell execution policy 18->72 74 Found suspicious powershell code related to unpacking or dynamic code loading 18->74 25 powershell.exe 14 17 18->25         started        29 conhost.exe 18->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        process9 dnsIp10 64 pastebin.com 104.20.29.150, 443, 49686, 49688 CLOUDFLARENETUS United States 25->64 54 C:\Users\user\AppData\Local\Temp\nAvER.ps1, Unicode 25->54 dropped 35 powershell.exe 11 25->35         started        file11 process12 signatures13 88 Writes to foreign memory regions 35->88 90 Injects a PE file into a foreign processes 35->90 38 MSBuild.exe 35->38         started        process14 signatures15 92 Maps a DLL or memory area into another process 38->92 41 czpGWLSdO9.exe 38->41 injected process16 dnsIp17 66 www.wontagents.xyz 76.223.54.146, 49694, 80 AMAZON-02US United States 41->66 94 Maps a DLL or memory area into another process 41->94 45 winver.exe 13 41->45         started        signatures18 process19 signatures20 96 Tries to steal Mail credentials (via file / registry access) 45->96 98 Tries to harvest and steal browser information (history, passwords, etc) 45->98 100 Modifies the context of a thread in another process (thread injection) 45->100 102 2 other signatures 45->102 48 chrome.exe 45->48         started        50 firefox.exe 45->50         started        process21 process22 52 WerFault.exe 4 48->52         started       
Score:
92%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce/
Threat name:
Script-WScript.Trojan.Honolulu
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 07:23:35 UTC
File Type:
Binary
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nm4jsguobly6ksglf4l3evydftsbkc67ei3pmpg26ngmlzouetha._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
0ef28af627a20a5be581f8dc7bff948415a909ad482ed18fdc4554902d20091f
Formbook
3e1ff97d9336fe91b7a9c1853577961b432a2e71942238804b2a54619a681610
Formbook
89369898ebf3b91a1f28cecd38382b3f47d32e0cbde22543b1ece74c25c03eef
Formbook
bec14bce5c4f442698374702e7759be6322af509b4f22b7cd64229df85fbb7dc
Formbook
c55443835b9da7ef3fd8e804969c806713c352c5fbdbe8e673e348f9588e7189
Formbook
cad1738a30123d36693ddb0531b3b0ac14d8f9eb577609b25905ab28c4e9a3eb
Formbook
d7c64324b4f2b0aeccd0c12346788a52852bb31199174ec6f699a4f0dc4fee8a
Formbook
error
Formbook
f7752fa3cc9f5fcdfc5f0346401907e77494ac55c6c133ee115986cd723ee164
Formbook
f94f36ad5e8746f9b9dd6a23e079d8d12f0e55d49a96c761cba4b9bbde734f04
Formbook
fb114b07eab8c5dd7faf8dc1b15f79cda7043f283f17c2c89797c57112d926d1
Formbook
+ 2'115 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/251016-h6xz8atp12/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Badlisted process makes network request
Malware Config
Dropper Extraction:
https://pastebin.com/raw/jgKWLc0S
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b38991a8e0af1e548cb2f17b257032ce4150bdf2236f63cdaf34cc5e5d424ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33022/

Comments