MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f
SHA3-384 hash: e4461c3c8335d48519eabcf55edae83d021e4bfd8cd9a7892fbb0a1ada0fc0828e496a657b15264820922818c5fac919
SHA1 hash: 7200c21cbf6d6b4f51151532ec503326b8f1e6be
MD5 hash: 0021e2b267700521b4153ecc9e3fbb78
humanhash: carolina-black-blossom-east
File name:DucFile567890987667.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:3'226 bytes
First seen:2022-09-08 10:29:20 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:xXrtjcmHdp5Iy+L/V1ve5A313keVyNE/hlzyT3GBYgHK0X79g0r0+:xN3zIRL/vvczSyNEKzG+yPr0+
TLSH T10161100E305B7124D1320DB2DC9B142EB9A3EB83627944203F08EBE59E3807CB75697D
Reporter 0xToxin
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/308739/
Detection(s):
SecuriteInfo.com.GT.VB.Remcos.1.D964BE5D.5729.4103.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6319c469e73fb79b7a009f8b/reports/d96732d4-7245-45c5-9fc2-1c8e184e56c2/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1067031
Signature
C2 URLs / IPs found in malware configuration
DLL side loading technique detected
Drops PE files to the startup folder
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 699566 Sample: DucFile567890987667.vbs Startdate: 08/09/2022 Architecture: WINDOWS Score: 100 58 www.gentlemenofabudhabi.com 2->58 60 google.com 2->60 62 2 other IPs or domains 2->62 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Yara detected FormBook 2->76 78 C2 URLs / IPs found in malware configuration 2->78 12 wscript.exe 15 2->12         started        16 wscript.exe 13 2->16         started        signatures3 process4 dnsIp5 70 ssb.solarman.in 174.136.57.185, 443, 49752, 49755 AS-TIERP-36024US United States 12->70 94 System process connects to network (likely due to code injection or exploit) 12->94 96 Wscript starts Powershell (via cmd or directly) 12->96 98 Very long command line found 12->98 18 powershell.exe 14 20 12->18         started        23 cmd.exe 1 12->23         started        25 powershell.exe 16->25         started        27 cmd.exe 1 16->27         started        signatures6 process7 dnsIp8 64 ssb.solarman.in 18->64 56 C:\Users\user\AppData\...\AgileDotNetRT64.dll, PE32+ 18->56 dropped 80 Writes to foreign memory regions 18->80 82 DLL side loading technique detected 18->82 84 Injects a PE file into a foreign processes 18->84 86 Powershell drops PE file 18->86 29 MSBuild.exe 18->29         started        32 conhost.exe 18->32         started        34 conhost.exe 23->34         started        66 ssb.solarman.in 25->66 68 192.168.2.1 unknown unknown 25->68 36 MSBuild.exe 25->36         started        38 conhost.exe 25->38         started        40 MSBuild.exe 25->40         started        88 Drops VBS files to the startup folder 27->88 90 Drops PE files to the startup folder 27->90 42 conhost.exe 27->42         started        file9 signatures10 process11 signatures12 100 Modifies the context of a thread in another process (thread injection) 29->100 102 Maps a DLL or memory area into another process 29->102 104 Tries to detect virtualization through RDTSC time measurements 29->104 106 Queues an APC in another process (thread injection) 29->106 44 explorer.exe 29->44 injected process13 signatures14 92 Uses netsh to modify the Windows network and firewall settings 44->92 47 netsh.exe 44->47         started        50 help.exe 44->50         started        process15 signatures16 108 Modifies the context of a thread in another process (thread injection) 47->108 52 cmd.exe 1 47->52         started        process17 process18 54 conhost.exe 52->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2022-09-08 10:30:07 UTC
File Type:
Text (VBS)
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uftcxdu7mcxbfuau3r57kz6rg2v66vwelv3lmxdwlry5ieoh52hq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:bic5 rat spyware stealer trojan
Link:
https://tria.ge/reports/220908-mjs5zabedp/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Formbook payload
Formbook
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a1662b8e9f60/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Visual Basic Script (vbs) vbs a1662b8e9f60ae12d014dc7bf567d136abef56c45d76b65c765c71d411c7ee8f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/308739/

Comments