MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea
SHA3-384 hash: 6cf3ab1ce0ca9a383b1fce048c7d59e2b5f0b02cc69a41b8691f80bd16d35d801d6a120915095da9a3a965e7d1170a37
SHA1 hash: 70687fb4c366b1a95a651536a4e7270ae4a0382f
MD5 hash: d3e2b3429359297758743cc96d94af79
humanhash: failed-stairway-romeo-eight
File name:Staff performance report..vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:1'102'200 bytes
First seen:2024-06-04 06:05:41 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12288:W31cvBzbU01qal638iNX3iTMgmuYtWN/ZgMiQPeRjLL:WYz64+2SjX
Threatray 4'272 similar samples on MalwareBazaar
TLSH T1DB3582E3DAC626198A855AB7ED274B734DA4019D33131F3493BDC69DA08395C82BFBC4
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.27022.18816.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665ebde29eda7055042783ccwin7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Dexter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cerberus masquerade powershell
Link:
https://www.filescan.io/uploads/665eaed2ef9fdf64aa66e52e/reports/3edaa4d2-9adf-4cfa-9b21-45db39b549f4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea
Result
Verdict:
MALICIOUS
Result
Threat name:
FormBook, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451527
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected FormBook malware
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: Steal Google chrome login data
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451527 Sample: Staff performance report..vbs Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 62 www.woodnthangs.com 2->62 64 www.esunbank.vip 2->64 66 2 other IPs or domains 2->66 76 Snort IDS alert for network traffic 2->76 78 Found malware configuration 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 11 other signatures 2->82 13 wscript.exe 2 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 signatures5 106 VBScript performs obfuscated calls to suspicious functions 13->106 108 Suspicious powershell command line found 13->108 110 Wscript starts Powershell (via cmd or directly) 13->110 112 3 other signatures 13->112 18 powershell.exe 14 19 13->18         started        process6 dnsIp7 68 drive.google.com 142.250.186.110, 443, 49714, 54595 GOOGLEUS United States 18->68 70 drive.usercontent.google.com 216.58.206.33, 443, 49715, 54596 GOOGLEUS United States 18->70 84 Suspicious powershell command line found 18->84 86 Very long command line found 18->86 88 Found suspicious powershell code related to unpacking or dynamic code loading 18->88 22 powershell.exe 17 18->22         started        25 conhost.exe 18->25         started        27 cmd.exe 1 18->27         started        signatures8 process9 signatures10 94 Writes to foreign memory regions 22->94 96 Found suspicious powershell code related to unpacking or dynamic code loading 22->96 29 wab.exe 6 22->29         started        32 cmd.exe 1 22->32         started        34 wab.exe 22->34         started        process11 signatures12 114 Modifies the context of a thread in another process (thread injection) 29->114 116 Maps a DLL or memory area into another process 29->116 118 Sample uses process hollowing technique 29->118 120 Queues an APC in another process (thread injection) 29->120 36 explorer.exe 45 9 29->36 injected process13 dnsIp14 72 www.esunbank.vip 188.114.96.3, 54601, 54602, 80 CLOUDFLARENETUS European Union 36->72 90 System process connects to network (likely due to code injection or exploit) 36->90 92 Searches for Windows Mail specific files 36->92 40 wlanext.exe 1 18 36->40         started        44 wab.exe 36->44         started        46 wab.exe 36->46         started        signatures15 process16 file17 58 C:\Users\user\AppData\...\O2Alogrv.ini, data 40->58 dropped 60 C:\Users\user\AppData\...\O2Alogri.ini, data 40->60 dropped 98 Detected FormBook malware 40->98 100 Tries to steal Mail credentials (via file / registry access) 40->100 102 Tries to harvest and steal browser information (history, passwords, etc) 40->102 104 5 other signatures 40->104 48 cmd.exe 2 40->48         started        52 firefox.exe 40->52         started        signatures18 process19 file20 56 C:\Users\user\AppData\Local\Temp\DB1, SQLite 48->56 dropped 74 Tries to harvest and steal browser information (history, passwords, etc) 48->74 54 conhost.exe 48->54         started        signatures21 process22
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea/
Threat name:
Script-WScript.Trojan.GuLoader
Create hunting rule
Status:
Malicious
First seen:
2024-06-04 03:05:40 UTC
File Type:
Text (VBS)
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5idegkyp4aqaveortblp7daket6gxo2sy65et5rqsvk2y7lhs7va._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
47d5dfe5d59cd87f1d41105123e02fa661a17e7e0623125c51956165113f8f4e
Formbook
6f82869adb98bb714d132260ce2764b4d46e31495fb84d5614c9863763e118a2
Formbook
958d107ae823cd619fa042dcbaaa97155b1cecc092863f998f2ee4dca893beed
Formbook
a951393c48c8b443dfb70fca4cadb74b4f4479ed081abb001fd28aa5ed56498c
Formbook
bddecf330d5b3d2c09db0b26dc6367e2e71a2e0317cc65610cd1cca8809fd0e2
Formbook
d0b94b855d2f24add1edf6b3a6ecae24e4366f181a1ccd0bcd3b27e94de95bc0
Formbook
d0cbf22d6b18d9544e3c1488b363c099a29b698205bcca18a7eb1ae1c92d4343
Formbook
f8a6c58d226e584aad84d5ede794437d88f9a8b82cd1c899417c2572d5e4cba4
Formbook
fe7ff83680ff3855e060227bddf560db0fe75b141db516320674dace99202224
Formbook
ff5d67d2cfdae5296cda453f2f78fcacd79169bb9dbbe94a2007d9dcb382d2ef
Formbook
+ 4'262 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:sh31 persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240604-gtrf8sff2x/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Reads user/profile data of web browsers
Adds policy Run key to start application
Blocklisted process makes network request
Formbook payload
Formbook
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea06432b0fe0200a91d19856ff8c0a24fc6bbb52c7ba49f6309555ac7d6797ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments