MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cac395df4f6976c9bd4443e5ee363ab315ba6e92b1cf53f62fa543f121b2cdc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cac395df4f6976c9bd4443e5ee363ab315ba6e92b1cf53f62fa543f121b2cdc6
SHA3-384 hash: 2cd90bb7c896971ed3b1d7ae80136bda971b91d0bcf9a3cf5795af573218e1b1aa3fa94a12906e2d3f728445ea1f96bd
SHA1 hash: 4c8b34204e21ebdd29ec03bfd6555a53b90c5f2d
MD5 hash: 2f3ae5cc5ca5cdad222e36c0b7ff0f02
humanhash: ten-autumn-mexico-nuts
File name:MAG ORDERS 00236646.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:135'769 bytes
First seen:2025-07-07 18:46:07 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:syePC9dZKeDdoGUAU9BDi/DLF5hKBbpMjRO:7iGUAU9BDi/DLF5hKBbpf
Threatray 1'194 similar samples on MalwareBazaar
TLSH T164D3723DCAF1BCC4032F70D6A66C7B52109E4BA3F6B15B2CF5C44AB21C54689EB76249
Magika vba
Reporter abuse_ch
Tags:FormBook vbs


Avatar
abuse_ch
Formbook C2:
213.209.150.171:5010

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
213.209.150.171:5010 https://threatfox.abuse.ch/ioc/1554288/

Intelligence

File Origin
# of uploads :
1
# of downloads :
25
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13366/
Detection(s):
SecuriteInfo.com.BAT.Obfus-5.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686c15fdc9eb974737677e18
Tags:
obfuscate xtreme sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 evasive masquerade obfuscated obfuscated powershell
Link:
https://www.filescan.io/uploads/686c15fb0737c4165a92f5d0/reports/8414e332-23d1-4054-a6da-ac11fd54f439/overview
Verdict:
Suspicious
Labled as:
BAT/Agent.BCH
Link:
https://www.hybrid-analysis.com/sample/cac395df4f6976c9bd4443e5ee363ab315ba6e92b1cf53f62fa543f121b2cdc6
Result
Threat name:
AsyncRAT, SugarDump, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1730349
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected Powershell decode and execute
Yara detected SugarDump
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1730349 Sample: MAG ORDERS 00236646.vbs Startdate: 07/07/2025 Architecture: WINDOWS Score: 100 79 ancientwaters.theworkpc.com 2->79 81 ip-api.com 2->81 83 fg.microsoft.map.fastly.net 2->83 109 Suricata IDS alerts for network traffic 2->109 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 21 other signatures 2->115 11 wscript.exe 2 2->11         started        15 svchost.exe 1 3 2->15         started        18 msedge.exe 2->18         started        20 msedge.exe 2->20         started        signatures3 process4 dnsIp5 77 C:\Users\user\...\MorchellaLamellaNet.bat, ASCII 11->77 dropped 133 VBScript performs obfuscated calls to suspicious functions 11->133 135 Wscript starts Powershell (via cmd or directly) 11->135 137 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->137 139 Suspicious execution chain found 11->139 22 cmd.exe 1 11->22         started        107 127.0.0.1 unknown unknown 15->107 25 msedge.exe 18->25         started        27 msedge.exe 20->27         started        file6 signatures7 process8 signatures9 125 Suspicious powershell command line found 22->125 127 Wscript starts Powershell (via cmd or directly) 22->127 129 Bypasses PowerShell execution policy 22->129 29 cmd.exe 2 22->29         started        32 conhost.exe 22->32         started        process10 signatures11 141 Suspicious powershell command line found 29->141 143 Wscript starts Powershell (via cmd or directly) 29->143 34 powershell.exe 17 32 29->34         started        39 conhost.exe 29->39         started        process12 dnsIp13 85 ancientwaters.theworkpc.com 213.209.150.171, 49718, 5010 KEMINETAL Germany 34->85 87 ip-api.com 208.95.112.1, 49716, 80 TUT-ASUS United States 34->87 65 C:\Users\user\AppData\Roaming\Windows.exe, PE32+ 34->65 dropped 67 C:\Users\user\AppData\Local\...\tmp3100.tmp, PE32+ 34->67 dropped 69 C:\Users\user\AppData\Local\...\tmp3063.tmp, PE32+ 34->69 dropped 71 3 other malicious files 34->71 dropped 117 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->117 119 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->119 121 Tries to harvest and steal browser information (history, passwords, etc) 34->121 123 3 other signatures 34->123 41 msedge.exe 152 649 34->41         started        46 chrome.exe 11 34->46         started        48 csc.exe 3 34->48         started        file14 signatures15 process16 dnsIp17 103 239.255.255.250 unknown Reserved 41->103 73 C:\Users\user\AppData\Local\...\Login Data, SQLite 41->73 dropped 131 Maps a DLL or memory area into another process 41->131 50 msedge.exe 41->50         started        53 msedge.exe 41->53         started        55 msedge.exe 41->55         started        63 4 other processes 41->63 105 192.168.2.4, 443, 49711, 49712 unknown unknown 46->105 57 chrome.exe 46->57         started        59 chrome.exe 46->59         started        75 C:\Users\user\AppData\Local\...\4g0fflub.dll, PE32 48->75 dropped 61 cvtres.exe 1 48->61         started        file18 signatures19 process20 dnsIp21 89 sb.scorecardresearch.com 18.165.83.104, 443, 49755 MIT-GATEWAYSUS United States 50->89 91 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 50->91 99 28 other IPs or domains 50->99 93 150.171.29.11 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 53->93 95 23.48.203.180 AKAMAI-TYO-APAkamaiTechnologiesTokyoASNSG United States 53->95 97 ogads-pa.clients6.google.com 142.251.40.42, 443, 49734, 49736 GOOGLEUS United States 57->97 101 4 other IPs or domains 57->101
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/cac395df4f6976c9bd4443e5ee363ab315ba6e92b1cf53f62fa543f121b2cdc6
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated Scripting.FileSystemObject T1059.005 VBScript WScript.Shell
Link:
https://app.malva.re/file/2f3ae5cc5ca5cdad222e36c0b7ff0f02
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cac395df4f6976c9bd4443e5ee363ab315ba6e92b1cf53f62fa543f121b2cdc6/
Threat name:
Script-WScript.Backdoor.Asyncrat
Create hunting rule
Status:
Malicious
First seen:
2025-07-07 18:46:17 UTC
File Type:
Text (HTML)
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zlbzlx2pnf3mtpkeips64nr2wmk3u3uswhhvh5rpuvb7cinszxda._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
713218ac9468730f86b3076cbc49fb970be50ca5a4ad9bc30f2041bd5fc4095c
Formbook
b6f2410fa257aa53031c1d39af39aad4157ca9316d2b566ffa59e3029ba66471
Formbook
bbbceb4adf8900e5df33d28d9bac03afe37cff41166e475ae42166949006610a
Formbook
c7f5161e69a1f7de4f87d1eaa680f045e84869d888c9c68c1ffc4ec6d1a95207
Formbook
d330a30a3c45940e3a67fdc866a3b61a47a11e1c1b900b0d4aa7c27df80922ea
Formbook
ea919fb9794847767fca6a1b2999f6ffb8ec45473f110c2273c271d96c58eb0f
Formbook
error
Formbook
+ 1'184 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm execution rat trojan
Link:
https://tria.ge/reports/250707-xep8max1dy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Checks computer location settings
Blocklisted process makes network request
Detect Xworm Payload
Xworm
Xworm family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cac395df4f6976c9bd4443e5ee363ab315ba6e92b1cf53f62fa543f121b2cdc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13366/

Comments