MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54
SHA3-384 hash: 5b855133f8bb28c91f7dd99a210eaa6bc40f6d8ff25d6012071421cacce7c18985e744e1d5c2a646a0048a59c30f608b
SHA1 hash: 67b8d5dea53db8c174c1c17c7b06da59770e179e
MD5 hash: d107b3bf4609b4c1bc3ecc06d518d2df
humanhash: spaghetti-edward-magazine-diet
File name:d107b3bf4609b4c1bc3ecc06d518d2df.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:1'613'520 bytes
First seen:2026-03-12 15:47:44 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:CL0OFHTev1rOiOBMXIpIjd/jLAjBR7Zmi1f0O/s4WGxbdy00BVL7ZuIQKM7qExDL:CIlXthUVC5ZEEzQG6CB9fPr/3G1
Threatray 67 similar samples on MalwareBazaar
TLSH T1E17508B4E461A548F982F655CF3E3EA175E0041B3303B5DA50CAC8F1897E8629BB85F7
Magika toml
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/57230/
Detection(s):
SecuriteInfo.com.VBS.Starter.505.14126.16607.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69b2e0549872190419bfaf02
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint obfuscated obfuscated overlay packed powershell
Link:
https://www.filescan.io/uploads/69b2e04d493cb7d62df952cc/reports/6273aaa1-7aa6-438d-8f1a-a2d73208c8f5/overview
Verdict:
Malicious
Labled as:
Agent
Link:
https://www.hybrid-analysis.com/sample/95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54
Verdict:
Malicious
File Type:
text
Detections:
Trojan-Downloader.JS.Cryptoload.sb HEUR:Trojan.VBS.SAgent.gen HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1882769
Signature
Antivirus detection for URL or domain
Creates processes via WMI
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSIL Injector
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1882769 Sample: B5RX1rM1KH.vbs Startdate: 12/03/2026 Architecture: WINDOWS Score: 100 30 gateway.lighthouse.storage 2->30 32 d1zwe7rg2uojh7.cloudfront.net 2->32 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 8 wscript.exe 2 2->8         started        12 powershell.exe 14 15 2->12         started        15 wscript.exe 2->15         started        signatures3 process4 dnsIp5 28 C:\Users\Public\Downloads28ame_File.vbs, ASCII 8->28 dropped 50 Suspicious powershell command line found 8->50 52 Wscript starts Powershell (via cmd or directly) 8->52 54 Windows Shell Script Host drops VBS files 8->54 62 3 other signatures 8->62 34 d1zwe7rg2uojh7.cloudfront.net 3.169.252.128, 443, 49688, 49696 AMAZON-02US United States 12->34 56 Writes to foreign memory regions 12->56 58 Modifies the context of a thread in another process (thread injection) 12->58 60 Injects a PE file into a foreign processes 12->60 17 conhost.exe 12->17         started        19 wscript.exe 12->19         started        21 powershell.exe 15->21         started        file6 signatures7 process8 signatures9 44 Writes to foreign memory regions 21->44 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Injects a PE file into a foreign processes 21->48 24 conhost.exe 21->24         started        26 wscript.exe 21->26         started        process10
Score:
7%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-03-11 14:17:18 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sx3jgkdjj42rxmqve26hs4denlzghahsxy5bacgolayryewrd5ka._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
07ca3c1f8d2a424f1873cf6eda6df16e69569aa98c5d152734668ea9d1f4c374
Formbook
0e6a0dda6d54291452adeb1d7515cc8edad2705807d5a0343340ce7122cef8b1
Formbook
19d1507a08193e55ebb5b873e23fa0fd1d54a29e413ccd51903d6f084556c1d3
Formbook
1dd20400a7bb38e2bc807c8bbe15fb719b3466be957bbd9b71f620f876916287
Formbook
4f5d1c5ad71e3be6754c31542735633c0be9224feae128e2bb4cec533e85c33e
Formbook
61c61e5c4d5caa801b3d6ee7ba915ce19793274d659fc6e2bb14076fc5fdcb59
Formbook
815278833a20e95cd14f6ab44f46b46f2eb22d224742220bf2c4ad753afdbf38
Formbook
b65da47cf6dc6bc5ae6db9041f67c97a04f28672cea65e7ad9a0359391cdde48
Formbook
d08410a7c99152b4b46a8f6e686353d0a0a0be18eff6358322b72c28e43bda53
Formbook
e83039c747aa9f67494b6685cf5b53ce9afd955d6f4b0355c85a224c5c2e3ce8
Formbook
error
Formbook
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution persistence
Link:
https://tria.ge/reports/260312-s8zxpsfs4v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/95f69328694f351bb21526bc7970646af26380f2be3a1008ce58311c12d11f54

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/57230/

Comments