MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7053e344993af14f6fc9ce14f2fdf6f43576a6fb2d1b19c8e4aa43fc34bcab0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7053e344993af14f6fc9ce14f2fdf6f43576a6fb2d1b19c8e4aa43fc34bcab0f
SHA3-384 hash: 7b95cf2b29e9bbfb436349925b0316c56ecc5cf04f69b18813710dbfe1a49dbb38c08d708e7d9492ce13b79cb2dc9e9e
SHA1 hash: 257370b410799ff7e80f8289d8edace826febb92
MD5 hash: 2add0ed317480b0dc2a1981e2fee0ca3
humanhash: network-kilo-wolfram-texas
File name:Purchase Order #PO-240902.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:155'628 bytes
First seen:2024-06-09 15:53:57 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 1536:zdkd99CObSmCfcH2laJK6Jgq5huW0/5JBdUfc/jg0BGbUZlu9gISsRt:JkdbZJK6I/gcLg0BGcW
TLSH T1E3E37E1263EA0108B5B32B5D5E7291784A67BF959979C23C05BC284E0FF3E449DE1BB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.905.18633.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6667046e5c0e232c1ff02049win7simulatehigh_evasion
Tags:
Script
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm cscript lolbin masquerade
Link:
https://www.filescan.io/uploads/6665d01beae3878d8f38c595/reports/bcfb7ec5-ac93-4ee1-bc26-bb6cd40b571a/overview
Verdict:
Malicious
Labled as:
VBS/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/7053e344993af14f6fc9ce14f2fdf6f43576a6fb2d1b19c8e4aa43fc34bcab0f
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1454248
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1454248 Sample: Purchase Order #PO-240902.vbs Startdate: 09/06/2024 Architecture: WINDOWS Score: 100 44 paste.ee 2->44 46 xiaoyue.zhuangkou.com 2->46 48 9 other IPs or domains 2->48 70 Snort IDS alert for network traffic 2->70 72 Multi AV Scanner detection for domain / URL 2->72 74 Malicious sample detected (through community Yara rule) 2->74 78 13 other signatures 2->78 12 wscript.exe 14 2->12         started        signatures3 76 Connects to a pastebin service (likely for C&C) 44->76 process4 dnsIp5 60 paste.ee 188.114.97.3, 443, 49731 CLOUDFLARENETUS European Union 12->60 96 System process connects to network (likely due to code injection or exploit) 12->96 98 VBScript performs obfuscated calls to suspicious functions 12->98 100 Suspicious powershell command line found 12->100 102 5 other signatures 12->102 16 powershell.exe 7 12->16         started        signatures6 process7 signatures8 62 Suspicious powershell command line found 16->62 64 Found suspicious powershell code related to unpacking or dynamic code loading 16->64 19 powershell.exe 14 15 16->19         started        23 conhost.exe 16->23         started        process9 dnsIp10 50 uploaddeimagens.com.br 188.114.96.3, 443, 49732, 49733 CLOUDFLARENETUS European Union 19->50 52 93.123.39.71, 49734, 80 NET1-ASBG Bulgaria 19->52 88 Writes to foreign memory regions 19->88 90 Injects a PE file into a foreign processes 19->90 25 AddInProcess32.exe 19->25         started        28 AddInProcess32.exe 19->28         started        30 AddInProcess32.exe 19->30         started        signatures11 process12 signatures13 94 Maps a DLL or memory area into another process 25->94 32 vHMdHweeELZYU.exe 25->32 injected process14 signatures15 66 Maps a DLL or memory area into another process 32->66 68 Found direct / indirect Syscall (likely to bypass EDR) 32->68 35 sdiagnhost.exe 13 32->35         started        process16 signatures17 80 Tries to steal Mail credentials (via file / registry access) 35->80 82 Tries to harvest and steal browser information (history, passwords, etc) 35->82 84 Modifies the context of a thread in another process (thread injection) 35->84 86 2 other signatures 35->86 38 vHMdHweeELZYU.exe 35->38 injected 42 firefox.exe 35->42         started        process18 dnsIp19 54 hoolgroup.com 198.54.126.45, 49751, 49752, 49753 NAMECHEAP-NETUS United States 38->54 56 bigp5.store 138.201.55.83, 49742, 80 HETZNER-ASDE Germany 38->56 58 3 other IPs or domains 38->58 92 Found direct / indirect Syscall (likely to bypass EDR) 38->92 signatures20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7053e344993af14f6fc9ce14f2fdf6f43576a6fb2d1b19c8e4aa43fc34bcab0f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7053e344993af14f6fc9ce14f2fdf6f43576a6fb2d1b19c8e4aa43fc34bcab0f/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-06-09 13:30:26 UTC
File Type:
Text (VBS)
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=obj6grezhlyu636jzykpf7pw6q2xnjx3funrtshevjb7ynf4vmhq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240609-tb73gscb4t/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Formbook
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7053e344993af14f6fc9ce14f2fdf6f43576a6fb2d1b19c8e4aa43fc34bcab0f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments