MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6
SHA3-384 hash: 933fcdaaa0c27ac739a8f9a1418724937b3a7fec51aa6fc074a84a2ddf585c329c24005a6fe3256c6150a02e463ea498
SHA1 hash: 4bdab14bdf784f478137e8536557d5ddb8f3f3ff
MD5 hash: dad59cd4847cca8e9626bf3362b78b82
humanhash: aspen-helium-october-johnny
File name:dad59cd4847cca8e9626bf3362b78b82.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:21'639 bytes
First seen:2026-02-28 10:26:09 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:KR6285sLOKJKgH+u94tkcnoyVFPyeFhq8TWhgV7oXdo0YKL2N6glQpoJfyEfyytZ:Ko2BKgfED9PMbvKUpQYJW
Threatray 2'695 similar samples on MalwareBazaar
TLSH T186A22F3EC985DFF00B6A31A2A56F7A1665180367B9382A4C7CCBC19D3B35650CBB11ED
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54991/
Detection(s):
TwinWave.EvilVBA.LostAtSeaFuncInDirection.20240306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a2c2d18fffa866e3b33a19
Tags:
obfuscate phishing xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 guloader obfuscated obfuscated powershell powershell
Link:
https://www.filescan.io/uploads/69a2c2cdcd25bfe1dfdca0df/reports/67845ca9-0521-4916-81cd-b38fc5a9e29b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6
Verdict:
Malicious
File Type:
vbs
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.Script.Generic Trojan-Downloader.SLoad.TCP.ServerRequest PDM:Trojan.Win32.Generic Trojan-Downloader.PowerShell.NanoShield.sb
Link:
https://opentip.kaspersky.com/71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1876328
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Net WebClient Casing Anomalies
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
WScript reads language and country specific registry keys (likely country aware script)
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Score:
98%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6
Verdict:
Malware
YARA:
1 match(es)
Tags:
VBScript WScript.Network
Link:
https://app.malva.re/file/dad59cd4847cca8e9626bf3362b78b82
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6/
Verdict:
Malicious
Threat:
Trojan-Downloader.PowerShell.TCP
Link:
https://tip.neiki.dev/file/71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-02-27 11:06:22 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oecdutaobtt6uenr6hpbkwkm2po3obekgqjuaiwbcaphmu6vul3a._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
00ca6e2c0cf97d95fbe2bde0f38659e8c7a47fdc4fa784be828aff5e051dd64b
Formbook
0bfc0975675d67c0ba8f206435340bbb3af907b74b2b4938469f6b91511cbafc
Formbook
11e6fb6d0a431b017cdadd0500e22ec184841935e47a064c0fd2d1405e123bcd
Formbook
39d4b2c2f232d51c44e28e77ef48a8f57803f053f7ab864de307f6a45fe5705e
Formbook
b06f763db65124fc25523c16d8850580af3769771440e6fc9cec856718740f15
Formbook
b32d05c6d0606ae99980ac52e9acbae681e7c35936abca1aa7bbc66bc25bb0e5
Formbook
b79268daae3fcb3b75bdb26c6dd2d2224626369a32469b22c5f36b8bd0fe9f04
Formbook
da1140a4d3a9c65f836af07667be9ebe4dc54e0dfbc29143be53ef160e36c910
Formbook
e1fe0b9026bf4452a4f6d0a21af6c38e151fe5f1a8c6b547074798c25915456f
Formbook
error
Formbook
+ 2'685 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/260228-mgpd1aaz9h/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Badlisted process makes network request
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71043a4c0e0c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71043a4c0e0ce7ea11b1f1de15594cd3ddb7048a34134022c1101e7653d5a2f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54991/

Comments