MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c
SHA3-384 hash: 87dcb300247ede776641f0267f0022a420a383447b2aad9b469631968b3fa076b511b32c804a3a10c9d63f1837569af1
SHA1 hash: 6ac37c62c31516d2c0d75ecc94c9b5674932d952
MD5 hash: dfd3b949da899a772bc7ef5e205cca3c
humanhash: quiet-mobile-friend-black
File name:commande.vbe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'120'656 bytes
First seen:2025-12-09 13:32:15 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:application/octet-stream
ssdeep 12288:AZyefpeI7UpymoGhDBu9/KUu53fW4ykxG64m8MklZPY1B3/HIjEQe3n4os1Cdx++:U7UsPiKu5+p+qGES3hM4NP3UoN
TLSH T194A5CE5D84B06CD26014FEB4F685FFD7CCEB5385162707520FE4958A2322C83FAAB6A5
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika unknown
Reporter abuse_ch
Tags:FormBook vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
VBS/Agent.TEM trojan
Link:
https://www.hybrid-analysis.com/sample/ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c
Verdict:
Malicious
File Type:
vbe
First seen:
2025-12-08T19:35:00Z UTC
Last seen:
2025-12-11T10:32:00Z UTC
Hits:
~100
Detections:
Trojan.JS.SAgent.sb HEUR:Trojan-Downloader.Script.Generic HEUR:Trojan.VBS.Agent.gen HEUR:Trojan.Script.Generic Trojan-Dropper.Win32.Agent.sb Trojan-Downloader.JS.SLoad.sb Trojan-Downloader.JS.Cryptoload.sb Trojan.VBS.SAgent.sb
Link:
https://opentip.kaspersky.com/ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1829460
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1829460 Sample: commande.vbe Startdate: 09/12/2025 Architecture: WINDOWS Score: 100 67 www.sohbetson.xyz 2->67 69 www.ricardo-1240.xyz 2->69 71 19 other IPs or domains 2->71 85 Suricata IDS alerts for network traffic 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 93 10 other signatures 2->93 12 wscript.exe 8 2 2->12         started        16 wscript.exe 1 2->16         started        signatures3 91 Performs DNS queries to domains with low reputation 69->91 process4 file5 65 C:\Users\user\AppData\...\hIdTnGjZKaLMIzv.vbs, ASCII 12->65 dropped 103 Suspicious powershell command line found 12->103 105 Wscript starts Powershell (via cmd or directly) 12->105 107 Windows Shell Script Host drops VBS files 12->107 109 4 other signatures 12->109 18 powershell.exe 11 12->18         started        21 WmiPrvSE.exe 296 12->21         started        23 powershell.exe 11 16->23         started        25 powershell.exe 16->25         started        27 powershell.exe 16->27         started        29 powershell.exe 16->29         started        signatures6 process7 signatures8 79 Writes to foreign memory regions 18->79 81 Injects a PE file into a foreign processes 18->81 31 MSBuild.exe 18->31         started        34 conhost.exe 18->34         started        36 conhost.exe 23->36         started        38 MSBuild.exe 23->38         started        40 conhost.exe 25->40         started        42 MSBuild.exe 25->42         started        44 conhost.exe 27->44         started        46 MSBuild.exe 27->46         started        48 2 other processes 29->48 process9 signatures10 111 Maps a DLL or memory area into another process 31->111 113 Unusual module load detection (module proxying) 31->113 50 gSin3EO0ndyH.exe 31->50 injected process11 signatures12 83 Maps a DLL or memory area into another process 50->83 53 PATHPING.EXE 13 50->53         started        process13 signatures14 95 Tries to steal Mail credentials (via file / registry access) 53->95 97 Tries to harvest and steal browser information (history, passwords, etc) 53->97 99 Modifies the context of a thread in another process (thread injection) 53->99 101 4 other signatures 53->101 56 YOncGri9jd196.exe 53->56 injected 59 chrome.exe 53->59         started        61 firefox.exe 53->61         started        process15 dnsIp16 73 www.xue999.mobi 202.165.120.194, 49717, 49718, 49719 POWERLINE-AS-APPOWERLINEDATACENTERHK Hong Kong 56->73 75 www.vcimgq.mobi 154.218.66.154, 49700, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 56->75 77 8 other IPs or domains 56->77 63 WerFault.exe 59->63         started        process17
Verdict:
Malware
YARA:
1 match(es)
Tags:
Obfuscated Scripting.FileSystemObject VBScript Encoded WScript.Shell
Link:
https://app.malva.re/file/dfd3b949da899a772bc7ef5e205cca3c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-09 13:52:55 UTC
File Type:
Text
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vm6ymmc7ib4pblrideixkanm3esjgbsrislq63eqomfdrybflzoa._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251209-qs3ybayqbp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ab3d86305f4078f0ae2819117501acd92493065144970f6c90730a38e0255e5c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments