MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0
SHA3-384 hash: 9d6c7eb158519b131581411698e4778a55d397a07990b796a770a7571bf4e06835eaa4b959ffa13e7046bf25aaf6eabe
SHA1 hash: f2be2616cacbe6da429da56dfbe7ec450be03a59
MD5 hash: a163b4bdbddcab814f39a3dc5ba800e0
humanhash: alpha-hot-tennessee-speaker
File name:bestoffertogetmebackwithnicepeoples.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:118'688 bytes
First seen:2025-05-06 18:56:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:IoyA6oX69GVC73j9oDLYvb76l841iwUtS98urU6LneX1sAt9UcisvtdPtbd9XBds:hWme9LOuJXgZsW1B
Threatray 12 similar samples on MalwareBazaar
TLSH T15EC3759B72E547EA803AAA27246E7C963880393DDF55F0021065BCF452E07C9DDFDDA2
Magika vba
Reporter skocherhan
Tags:FormBook vbs


Avatar
skocherhan
http://192.3.243.172/xampp/fbo/bestoffertogetmebackwithnicepeoples.vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
GB GB
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.26339.2074.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681a5c0f432e243ac3e4b0aa
Tags:
obfuscate xtreme shell
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive obfuscated opendir opendir overlay powershell
Link:
https://www.filescan.io/uploads/681a5b88d95f3e34e962305f/reports/23ee85b7-ca6b-4be1-a9df-48c549f9e106/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.CAW
Link:
https://www.hybrid-analysis.com/sample/a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1682584
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1682584 Sample: bestoffertogetmebackwithnic... Startdate: 06/05/2025 Architecture: WINDOWS Score: 100 35 www.mebuceiop.xyz 2->35 37 www.logicalcomputer.xyz 2->37 39 4 other IPs or domains 2->39 51 Suricata IDS alerts for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 59 8 other signatures 2->59 11 wscript.exe 1 2->11         started        signatures3 57 Performs DNS queries to domains with low reputation 37->57 process4 signatures5 73 VBScript performs obfuscated calls to suspicious functions 11->73 75 Suspicious powershell command line found 11->75 77 Wscript starts Powershell (via cmd or directly) 11->77 79 2 other signatures 11->79 14 powershell.exe 14 15 11->14         started        process6 dnsIp7 47 192.3.243.172, 49692, 80 AS-COLOCROSSINGUS United States 14->47 83 Writes to foreign memory regions 14->83 85 Injects a PE file into a foreign processes 14->85 18 aspnet_compiler.exe 14->18         started        21 conhost.exe 14->21         started        signatures8 process9 signatures10 49 Maps a DLL or memory area into another process 18->49 23 j9iHbly3a4WGQAvxYK.exe 18->23 injected process11 signatures12 61 Maps a DLL or memory area into another process 23->61 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 26 control.exe 13 23->26         started        process13 signatures14 65 Tries to steal Mail credentials (via file / registry access) 26->65 67 Tries to harvest and steal browser information (history, passwords, etc) 26->67 69 Modifies the context of a thread in another process (thread injection) 26->69 71 3 other signatures 26->71 29 j9iHbly3a4WGQAvxYK.exe 26->29 injected 33 firefox.exe 26->33         started        process15 dnsIp16 41 www.mebuceiop.xyz 103.106.67.112, 49701, 49702, 49703 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 29->41 43 www.logicalcomputer.xyz 13.248.169.48, 49696, 49697, 49698 AMAZON-02US United States 29->43 45 2 other IPs or domains 29->45 81 Found direct / indirect Syscall (likely to bypass EDR) 29->81 signatures17
Score:
48%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-06 17:40:39 UTC
File Type:
Text (VBS)
AV detection:
9 of 24 (37.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uci6sx4o6wqvtvyv6h4vjpme7fkxw5hpsszofkvo7auqpqkz6haa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
14c3023fd2bb18fd4095277f47582be9251c6aaa51c66c4a97659a2c2435ec36
Formbook
1ae589f7033b509d9f1132e9e1159fd3185860f67544e95bce6055849c96b2c9
Formbook
1b2d6ba0dfcb2247cc3655f37844dbd378abd68364b454dad49288bcf977a88e
Formbook
3e65d73d24d876e7597dbda0fbcef9681dd7e16d241283ebf466eb0ad85c603b
Formbook
491fbbb1b91c4ec1521dcbe45566794adad56ae63ab9347b5674e5a764b9f483
Formbook
5aa13f12284f388e4d78c6018ae782aa71da17c8cc737eb31dc3ee70c3caa2f5
Formbook
8910d1eb637d5a45972756c4990d10fc757656639ffe17714bca956432b6b0e3
Formbook
a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0
Formbook
d36ed137f9ad6964486285f443f21a27510c8b15f40ef2c47911b5a47b8bc083
Formbook
d4b5f80983a954f27ebecfdf87f26582b36b64c57f02ede40c74145d880a69f0
Formbook
error
Formbook
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/250506-xlzqmsak6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b075171acfc806531c432c2cc3ebf78c

Formbook

Visual Basic Script (vbs) vbs a091e95f8ef5a159d715f1f954bd84f9557b74ef94b2e2aaaef82907c159f1c0

(this sample)

  
Dropped by
MD5 b075171acfc806531c432c2cc3ebf78c

Comments