MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed
SHA3-384 hash:	4ed01667cdbc967aafad710579f09be7b69410dad85efdfaf203fcc6b07247dfff5f700a5d2bb7a02117ecf45ef6b0d8
SHA1 hash:	15f64204fe9c230c504859b536598ef3a63c6cac
MD5 hash:	c4c8f61d46432d172c33f568be5b2dc4
humanhash:	arizona-lamp-dakota-louisiana
File name:	567187.vbs
Download:	download sample
Signature	Formbook Create hunting rule
File size:	182'458 bytes
First seen:	2026-06-09 13:40:12 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	3072:vlzIoUql7vEu9iRp4kWmv151y7nULZn+NHXdonSS89YQFCp4iCJjh:vlzR7BSgmvuULINHNonSS894Svh
TLSH	T1F604CF41BE8B34443505AABE44AF13B9FA039E9E0030C53A1BD977BD0F0DA55BBE7816
Magika	vba
Reporter	James_inthe_box
Tags:	exe FormBook vbs

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

Vendor Threat Intelligence

No detections

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70306/

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6a2817eaa15110463ee442f7

Tags:

xtreme shell sage

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 encrypted evasive obfuscated powershell

Link:

https://www.filescan.io/uploads/6a2817f73d2a0c6df8ea2389/reports/918cd952-5bfb-46dd-a597-9b09e1901a48/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed

Verdict:

Malicious

File Type:

vbs

First seen:

2026-06-07T17:03:00Z UTC

Last seen:

2026-06-10T12:06:00Z UTC

Hits:

~10000

Detections:

PDM:Trojan.Win32.Generic Trojan.Win32.Agent.sb Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic

Link:

https://opentip.kaspersky.com/e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed/results?tab=lookup

Score:

94%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed/

Verdict:

Malicious

Link:

https://tip.neiki.dev/file/e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed

Threat name:

Script.Trojan.Heuristic

Status:

Malicious

First seen:

2026-06-07 20:44:17 UTC

File Type:

Text (VBS)

AV detection:

5 of 36 (13.89%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4uhc7vggdosgdizc6hk2b2icta5psyvtsn7bfquf4drmcteddhwq._file

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook discovery execution persistence rat spyware stealer trojan

Link:

https://tria.ge/reports/260609-qyzsvaa181/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds policy Run key to start application

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Family: Formbook

Formbook payload

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e50e2fd4c61ba461a322f1d5a0e902983af962b3937e12c285e0e2c14c8319ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	detect_tiny_vbs Create hunting rule
Author:	daniyyell
Description:	Detects tiny VBS delivery technique

Rule name:	telebot_framework Create hunting rule
Author:	vietdx.mb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/70306/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample