MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5
SHA3-384 hash: 0935cc303ec99fb9699e951fe2af10f111c6b786e586565802b27c33e6225db066a0b90cc439335bd4e87d925e1a8197
SHA1 hash: 621dd580660931e40378627578028cc8f3c787e3
MD5 hash: 52585e0274d1bc59e4213fcccc6baac1
humanhash: foxtrot-football-oklahoma-whiskey
File name:Scan_20241030.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:1'223'010 bytes
First seen:2024-10-30 06:22:24 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:FlBpcHWqHmW3dPuNyRGITc07v4XFn55J4ikOsZ:jqGJNWPWoiMZ
Threatray 1 similar samples on MalwareBazaar
TLSH T1CE45D073AF61BB1C3F24E1E8448F5B197DD58CEF01A4EAE8D27D320A1D82E81152F569
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.GT.VB.AgentTesla.4.D0647C47.7458.3315.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6721d0d349e92a05dde1d4bb
Tags:
agenttesla exploit
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper evasive
Link:
https://www.filescan.io/uploads/6721d0cd17b6426a260978c2/reports/e480ecc9-4418-45ca-a614-c638c7962a2f/overview
Verdict:
Malicious
Labled as:
GT:VB.AgentTesla.4
Link:
https://www.hybrid-analysis.com/sample/7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1545146
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Benign windows process drops PE files
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Potential evasive VBS script found (sleep loop)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected FormBook
Yara detected GuLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545146 Sample: Scan_20241030.vbs Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 31 kmsaksesuar.com 2->31 35 Yara detected FormBook 2->35 37 Yara detected GuLoader 2->37 39 Potential evasive VBS script found (sleep loop) 2->39 41 2 other signatures 2->41 10 wscript.exe 2 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\temp_file_rhjRS.exe, PE32 10->27 dropped 49 Benign windows process drops PE files 10->49 51 VBScript performs obfuscated calls to suspicious functions 10->51 53 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->53 14 temp_file_rhjRS.exe 4 29 10->14         started        signatures6 process7 file8 29 C:\Users\user\AppData\Local\...\System.dll, PE32 14->29 dropped 55 Antivirus detection for dropped file 14->55 57 Machine Learning detection for dropped file 14->57 59 Tries to detect virtualization through RDTSC time measurements 14->59 61 Switches to a custom stack to bypass stack traces 14->61 18 temp_file_rhjRS.exe 6 14->18         started        signatures9 process10 dnsIp11 33 kmsaksesuar.com 46.28.239.165, 443, 49976 PREMIERDC-VERI-MERKEZI-ANONIM-SIRKETIPREMIERDC-SHTR Turkey 18->33 43 Maps a DLL or memory area into another process 18->43 22 IKcKppyYrG.exe 18->22 injected signatures12 process13 signatures14 45 Maps a DLL or memory area into another process 22->45 47 Found direct / indirect Syscall (likely to bypass EDR) 22->47 25 verclsid.exe 22->25         started        process15
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2024-10-30 02:28:47 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=psstzsbzuq3mrc2y65dsy2yrp2jkqqtjjanvnnzawwann75kudcq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5
Formbook
error
Formbook
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/241030-g5gq6sybkp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ca53cc839a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ca53cc839a436c88b58f7472c6b117e92a84269481b56b720b580d6ffaaa0c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments