MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639
SHA3-384 hash: c4b7abcb9cf72808b8c60d1bddc48a6df68ecb4cb53dfd00621c0dc10d74717b58af71309e1d5084a9582a2fd57b72c4
SHA1 hash: 595f5625c9b606f2a9e7ade3a2da9e45c8611760
MD5 hash: 5576287e8200b5775576625055a50643
humanhash: minnesota-ohio-seventeen-steak
File name:Employee Perfomance Record.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:1'105'712 bytes
First seen:2024-06-04 06:05:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:s31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjkT:sYz64+2Sj+
TLSH T1123593E3DAC626189A855AB7ED274B734DA4019D73031F3493BDC69DA08395C82BFBC4
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.11665.17562.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Script.SNH-gen.5657.971.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665ebe28ab69e84d6a2f54a2win10vpnfull_triage
Tags:
Encryption Execution Network Stealth
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerberus powershell
Link:
https://www.filescan.io/uploads/665eaed3ee1e16e3eb150734/reports/ad3cb7c0-7afa-4aa8-b073-e2a6e8cd53bc/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451525
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: Steal Google chrome login data
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451525 Sample: Employee Perfomance Record.vbs Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 63 www.10140wildhawk.com 2->63 65 mymarketsales.com 2->65 67 3 other IPs or domains 2->67 79 Snort IDS alert for network traffic 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 12 other signatures 2->85 13 wscript.exe 2 2->13         started        17 rundll32.exe 2->17         started        signatures3 process4 file5 59 C:\Users\user\AppData\...\Programmistics.txt, ASCII 13->59 dropped 109 VBScript performs obfuscated calls to suspicious functions 13->109 111 Suspicious powershell command line found 13->111 113 Wscript starts Powershell (via cmd or directly) 13->113 115 3 other signatures 13->115 19 powershell.exe 14 19 13->19         started        signatures6 process7 dnsIp8 69 drive.usercontent.google.com 142.250.185.97, 443, 49733, 49741 GOOGLEUS United States 19->69 71 drive.google.com 142.250.186.46, 443, 49731, 49732 GOOGLEUS United States 19->71 87 Suspicious powershell command line found 19->87 89 Very long command line found 19->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 19->91 23 powershell.exe 15 19->23         started        26 conhost.exe 19->26         started        28 cmd.exe 1 19->28         started        signatures9 process10 signatures11 97 Writes to foreign memory regions 23->97 99 Found suspicious powershell code related to unpacking or dynamic code loading 23->99 30 wab.exe 6 23->30         started        33 cmd.exe 1 23->33         started        process12 signatures13 117 Modifies the context of a thread in another process (thread injection) 30->117 119 Maps a DLL or memory area into another process 30->119 121 Sample uses process hollowing technique 30->121 123 Queues an APC in another process (thread injection) 30->123 35 explorer.exe 48 9 30->35 injected process14 dnsIp15 73 mymarketsales.com 15.197.142.173, 49745, 49746, 80 TANDEMUS United States 35->73 75 www.10140wildhawk.com 162.255.119.138, 49743, 49744, 80 NAMECHEAP-NETUS United States 35->75 93 System process connects to network (likely due to code injection or exploit) 35->93 95 Searches for Windows Mail specific files 35->95 39 wscript.exe 1 18 35->39         started        43 wab.exe 35->43         started        45 wab.exe 35->45         started        signatures16 process17 file18 55 C:\Users\user\AppData\...\J13logrv.ini, data 39->55 dropped 57 C:\Users\user\AppData\...\J13logri.ini, data 39->57 dropped 101 Detected FormBook malware 39->101 103 Wscript starts Powershell (via cmd or directly) 39->103 105 Tries to steal Mail credentials (via file / registry access) 39->105 107 6 other signatures 39->107 47 cmd.exe 2 39->47         started        51 firefox.exe 39->51         started        signatures19 process20 file21 61 C:\Users\user\AppData\Local\Temp\DB1, SQLite 47->61 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 47->77 53 conhost.exe 47->53         started        signatures22 process23
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-06-04 04:16:31 UTC
File Type:
Text (VBS)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=og765ohpgxpbp4cljvwrwea2fdlionaqjgkx6flj7cyuptobqy4q._file
Verdict:
unknown
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:ty31 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240604-gtrf8sff2y/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/71bfeeb8ef35de17f04b4d6d1b101a28d687341049957f1569f8b147cdc18639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments