MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a
SHA3-384 hash: 9e6f150056f527e9716435ed50275ff5bf98b6556741de78718378ee1d34a8eb0fe4dff05472819c6559618c9952ac23
SHA1 hash: 955703d039355c3db2f363fbad1a8e715ac663ed
MD5 hash: 7087e3da1fbfcbae0c5c2e72f903bc7d
humanhash: arizona-stairway-early-mobile
File name:Παρ_6827732399.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:92'936 bytes
First seen:2025-09-12 07:45:38 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:7QuQz55QDQz55QeQuQz55QDQz55QuQuQz55QDQz55QmQuQz55QDQz55QeQuQz55F:lriaZLe/0AAh+XfPf
Threatray 1'068 similar samples on MalwareBazaar
TLSH T179933E1EB6EF5018B0B3AF555EA771B6576B7A29693CC18400CC26094FE3941C8A1FFB
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27098/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c3cfeeb2005259887a03ca
Tags:
xtreme shell sage
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/68c3d104b29d966a312b74f4/reports/f93835c4-6c61-4606-b6b5-2a55ae01a622/overview
Verdict:
Malicious
Labled as:
PowerShell/Obfuscated.BC trojan
Link:
https://www.hybrid-analysis.com/sample/ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-10T07:18:00Z UTC
Last seen:
2025-09-10T07:18:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1776258
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Self deletion via cmd or bat file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1776258 Sample: #U03a0#U03b1#U03c1_6827732399.vbs Startdate: 12/09/2025 Architecture: WINDOWS Score: 100 66 www.vrgadget.xyz 2->66 68 www.pgmoon88.xyz 2->68 70 12 other IPs or domains 2->70 88 Suricata IDS alerts for network traffic 2->88 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for URL or domain 2->92 96 13 other signatures 2->96 14 wscript.exe 1 2->14         started        17 svchost.exe 2->17         started        signatures3 94 Performs DNS queries to domains with low reputation 68->94 process4 signatures5 128 VBScript performs obfuscated calls to suspicious functions 14->128 130 Suspicious powershell command line found 14->130 132 Wscript starts Powershell (via cmd or directly) 14->132 134 4 other signatures 14->134 19 powershell.exe 7 14->19         started        22 PING.EXE 1 14->22         started        process6 dnsIp7 98 Suspicious powershell command line found 19->98 100 Encrypted powershell cmdline option found 19->100 102 Self deletion via cmd or bat file 19->102 104 2 other signatures 19->104 25 powershell.exe 14 19 19->25         started        29 conhost.exe 19->29         started        72 127.0.0.1 unknown unknown 22->72 signatures8 process9 dnsIp10 74 andrefelipedonascime1756166725866.0531865.meusitehostgator.com.br 172.64.145.200, 443, 49682, 49685 CLOUDFLARENETUS United States 25->74 64 C:\Users\user\AppData\Local\...\pkwny_01.ps1, Unicode 25->64 dropped 31 powershell.exe 21 25->31         started        file11 process12 dnsIp13 82 alfadigitalprinting.com 103.247.11.218, 443, 49686 RUMAHWEB-AS-IDRumahwebIndonesiaCVID Indonesia 31->82 84 Self deletion via cmd or bat file 31->84 86 Adds a directory exclusion to Windows Defender 31->86 35 powershell.exe 31->35         started        38 cmd.exe 1 31->38         started        40 powershell.exe 23 31->40         started        42 5 other processes 31->42 signatures14 process15 signatures16 106 Writes to foreign memory regions 35->106 108 Injects a PE file into a foreign processes 35->108 44 MSBuild.exe 35->44         started        110 Uses ping.exe to sleep 38->110 112 Uses ping.exe to check the status of other devices and networks 38->112 47 PING.EXE 1 38->47         started        114 Loading BitLocker PowerShell Module 40->114 49 WmiPrvSE.exe 2 40->49         started        51 PING.EXE 1 42->51         started        process17 signatures18 126 Maps a DLL or memory area into another process 44->126 53 KruOrhfLjSZZ.exe 44->53 injected process19 signatures20 116 Maps a DLL or memory area into another process 53->116 56 makecab.exe 53->56         started        process21 signatures22 118 Tries to steal Mail credentials (via file / registry access) 56->118 120 Tries to harvest and steal browser information (history, passwords, etc) 56->120 122 Modifies the context of a thread in another process (thread injection) 56->122 124 3 other signatures 56->124 59 K8QoLeoE9bKs.exe 56->59 injected 62 firefox.exe 56->62         started        process23 dnsIp24 76 x48003.jieruitech.info 23.231.159.4, 49706, 49707, 49708 TAKE2US United States 59->76 78 chandikadevi.store 63.250.43.14, 49693, 80 NAMECHEAP-NETUS United States 59->78 80 3 other IPs or domains 59->80
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a
Verdict:
inconclusive
YARA:
1 match(es)
Link:
https://app.malva.re/file/7087e3da1fbfcbae0c5c2e72f903bc7d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-11 12:59:16 UTC
File Type:
Text (VBS)
AV detection:
7 of 23 (30.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5iqfscrykmvnbrxp7u5zgql3sxfaq6imsk5bjpmhxaz73vt6lsfa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
15923a9fc38c609142edebb4ff10369d18d53b82986c41b7d98c5037c191db06
Formbook
6b6662c1050599805c0a20155ca0c8fdb566858e1914e273a69f572a5e3e61ef
Formbook
7e2f600443bbc2848ee277e188f5b7095d6c203d8e023a84224ba8dbb3532234
Formbook
81b5aa53fb0d1d9e99a1444276172d115c6c9de90954ab02f6e29beeeda51a37
Formbook
aef5d4593ccbc3429500b7e49d0f735bba83f811df85898febff746babd0eca2
Formbook
b5f7ce31c9333182fd55674e84e7a60e21cfdc92cf6b3b7286be53923a03386c
Formbook
b98ea057f9fd6b40c4cc5918f7132a229d959e1c5a78c4553b446221ad110009
Formbook
c219396bdbe5ecedd6f6edd308734920f6a52b6cdbefafc16916f07dadffc1c8
Formbook
ef621eb27cf38820b597be924cc1e9198b39a460150f862e4df651e6d3f09bc0
Formbook
error
Formbook
fb114b07eab8c5dd7faf8dc1b15f79cda7043f283f17c2c89797c57112d926d1
Formbook
+ 1'058 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution
Link:
https://tria.ge/reports/250912-jp1v8a1kt5/
Behaviour
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Hide Artifacts: Ignore Process Interrupts
Suspicious use of SetThreadContext
Indicator Removal: File Deletion
Network Share Discovery
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea20590a38532ad0c6effd3b93417b95ca08790c92ba14bd87b833fdd67e5c8a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27098/

Comments