MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc5c060f306d5218716dfdc6ded8091d5f5306b91c63cc0cdf760b41a99108c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: bc5c060f306d5218716dfdc6ded8091d5f5306b91c63cc0cdf760b41a99108c9
SHA3-384 hash: 7f8e942ccc5bf5ecd26ace320b7b0c7484d1af6606280497c1120bb6f1d414217fa31e3c53fc1ba5e82116590f7e1061
SHA1 hash: 6d305a2d5edecd298d020a41726e3e9bcd00d3bd
MD5 hash: 17031fde4115624d7977d32bde598f2c
humanhash: zebra-double-aspen-bravo
File name:MOM_270526_xls 附件副本.vbs
Download: download sample
Signature Formbook
File size:435'216 bytes
First seen:2026-06-04 09:22:17 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:QFGRFohpvKGmE6BPm7PHODfVurDfusJlJuk:QsTK9sEcCbr
Threatray 2'896 similar samples on MalwareBazaar
TLSH T1FD94DC38EDEA402EB173EE29CAD47597E95FB663371E984910D203864713942FDD223E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence


File Origin
# of uploads :
1
# of downloads :
94
Origin country :
SE SE
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
70%
Tags:
shell tatus sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
aes base64 base64 conhost crypto obfuscated powershell
Verdict:
Malicious
File Type:
vbs
First seen:
2026-06-04T00:13:00Z UTC
Last seen:
2026-06-06T05:49:00Z UTC
Hits:
~100
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Script.Generic Trojan.VBS.SAgent.sb Trojan.MSIL.Agent.sb Trojan-Spy.Win32.Noon.sb
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
88 / 100
Signature
Antivirus detection for URL or domain
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Powershell scriptblock execution from environment variable
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
WScript reads language and country specific registry keys (likely country aware script)
Behaviour
Behavior Graph:
Gathering data
Threat name:
Win32.Worm.AutoRun
Status:
Malicious
First seen:
2026-06-04 09:23:29 UTC
File Type:
Text (VBS)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Registers new Windows logon scripts automatically executed at logon.
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments