MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0
SHA3-384 hash: 3156845acd4bc0bb6d241568f7a692f56190de6c511303cf84be7c161373f1f10482d7dd058ab453488362f8532d8645
SHA1 hash: 5f5a15d04fd5099a95748a22b0ae668cfce3da76
MD5 hash: bd95ca686b05d785e18787c30c73b484
humanhash: oklahoma-saturn-cat-sixteen
File name:Request For Quotation.vbs
Download: download sample
Signature Formbook
Create hunting rule
File size:62'343 bytes
First seen:2025-10-28 08:25:57 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:qikOfwux6SHxCQSjAodLU6R7VuY0IU1LxmQocVSjCD8RocgSSjAuSG6NnJVuYoUQ:xez8OithCe1
Threatray 2'825 similar samples on MalwareBazaar
TLSH T13F53B7A425F456FBA29F2FF8C0EDA1C275603F0A1657A71F51B1AAB0D12B1C54D33A0B
Magika vba
Reporter abuse_ch
Tags:FormBook vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34458/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69007e5f706befaf4ec995c2
Tags:
spawn hype sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 base64 evasive obfuscated obfuscated opendir opendir overlay powershell
Link:
https://www.filescan.io/uploads/69007ea3c85c5c5697388cf4/reports/baab767f-3e41-4f19-9f91-3288c9638cb7/overview
Verdict:
Malicious
Labled as:
VBS/Obfuscated.DJ trojan
Link:
https://www.hybrid-analysis.com/sample/eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0
Verdict:
Malicious
File Type:
vbs
First seen:
2025-10-28T00:17:00Z UTC
Last seen:
2025-10-29T10:18:00Z UTC
Hits:
~100
Detections:
Trojan.Agentb.TCP.C&C Trojan.JS.SAgent.sb HEUR:Trojan.Script.Generic Trojan-Spy.Noon.HTTP.ServerRequest
Link:
https://opentip.kaspersky.com/eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0/results?tab=lookup
Result
Threat name:
Caminho Loader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1803045
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Caminho Loader
Yara detected FormBook
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1803045 Sample: Request For Quotation.vbs Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 37 www.ytenode.cloud 2->37 39 www.islr.tech 2->39 41 4 other IPs or domains 2->41 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 12 wscript.exe 2->12         started        15 svchost.exe 1 1 2->15         started        signatures3 process4 dnsIp5 73 Suspicious powershell command line found 12->73 75 Wscript starts Powershell (via cmd or directly) 12->75 77 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->77 79 2 other signatures 12->79 18 powershell.exe 14 15 12->18         started        49 127.0.0.1 unknown unknown 15->49 signatures6 process7 dnsIp8 43 ia801507.us.archive.org 207.241.228.157, 49682, 80 INTERNET-ARCHIVEUS United States 18->43 45 pub-37f3a615586d47f4996e932bf6df7670.r2.dev 104.18.50.34, 443, 49683 CLOUDFLARENETUS United States 18->45 59 Writes to foreign memory regions 18->59 61 Injects a PE file into a foreign processes 18->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->63 22 AddInProcess32.exe 18->22         started        25 conhost.exe 18->25         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 22->65 67 Maps a DLL or memory area into another process 22->67 69 Sample uses process hollowing technique 22->69 71 3 other signatures 22->71 27 explorer.exe 35 1 22->27 injected process12 dnsIp13 47 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->47 30 systray.exe 27->30         started        process14 signatures15 81 Modifies the context of a thread in another process (thread injection) 30->81 83 Maps a DLL or memory area into another process 30->83 85 Tries to detect virtualization through RDTSC time measurements 30->85 87 Switches to a custom stack to bypass stack traces 30->87 33 cmd.exe 1 30->33         started        process16 process17 35 conhost.exe 33->35         started       
Score:
57%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0
Verdict:
Malware
YARA:
1 match(es)
Tags:
Scripting.FileSystemObject VBScript
Link:
https://app.malva.re/file/bd95ca686b05d785e18787c30c73b484
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0/
Verdict:
Malicious
Threat:
Family.FORMBOOK
Link:
https://tip.neiki.dev/file/eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0
Threat name:
Script-WScript.Backdoor.FormBook
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 08:31:05 UTC
File Type:
Binary
AV detection:
7 of 23 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nggj4laamgp5yspp7qkjfdzxnjy45dlfrz6sv2pr7ea4nwtzlqa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
27541e7a2b03816dc453852b1251e72fae6e6081984e94248d3edb7e13c780e6
Formbook
3d73ce6df0894382b15b762b63c16b983ded101731112bbbb1a78bdf6faf6226
Formbook
41e4dd0218aed625e7883bd3dbe43a95796360bda2e2b7fcf020af9fe5e1f1dc
Formbook
69ae2e849e4b148f879630ae9e3a4f991602cc6a658dd732dd775c31839d69ce
Formbook
da99e5e90a490e93120bd11d5bdb6226ad5e6fa21c10d5514b97d09b56dcc403
Formbook
ebc963782a30a3e6cc360a6e4fda16d2acac2de13ee0d8db863082e699dabd5a
Formbook
ee68d6bc31aa1661dfdbf95b66fccba4ec8678ee2b6f384d8f51cab0608e81df
Formbook
error
Formbook
f05c22a1efc4ae70839768e6d0d22057eadd708c8da4e3fc8de7376267e8bca4
Formbook
+ 2'815 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:zl28 discovery execution rat spyware stealer trojan
Link:
https://tria.ge/reports/251028-kc7nnsem51/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://ia801507.us.archive.org/20/items/msi-pro-with-b-64_20251024/MSI_PRO_with_b64.png
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb4c64f16003/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/eb4c64f160030cfee24f7fe0a49479bb538e746b2c73e9574f8fc80e36d3cae0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34458/

Comments