MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16
SHA3-384 hash: 5cdcee41ca4ca1d5f5e3aaddb6edd849f48ddc09f3635ebcae6bce337a146230a86692c8c7f5cded4afb7bc6ce4ebfd8
SHA1 hash: 35921d68819a7c969cf0c9de6c944c253c1524ed
MD5 hash: ddd084b6d5f0411d8ab3a900b13b7767
humanhash: burger-crazy-kilo-uncle
File name:266714718-053055-sanlccjavap0004-16649.vbe
Download: download sample
Signature Formbook
Create hunting rule
File size:2'116'560 bytes
First seen:2025-12-02 08:37:16 UTC
Last seen:Never
File type:Visual Basic Script (vbe) vbe
MIME type:application/octet-stream
ssdeep 12288:P92z2zEvBqnNitAN6Ur2+vTaMQHfVoFhy9aB0D32zlNEWItZVaS3oQiQZDSmuPSG:k2/NiqN5/aD9h/6xowkqqSPW2JIsRrYw
TLSH T142A5B15D84B1ACD2A054FEB4F685FFD78CDB5385162B07420FE4859A3312C83FAA72A5
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Magika txt
Reporter lowmal3
Tags:FormBook vbe

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Detection(s):
SecuriteInfo.com.VBS.Encrypted.Gen.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692ea546264b106bd645e86f
Tags:
obfuscate xtreme shell
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/692ea541c1a2f55fb9c550c9/reports/3ee2e9ef-550a-424d-94d0-60fa8d95a7bf/overview
Verdict:
Suspicious
Labled as:
VBS/Agent.TEM trojan
Link:
https://www.hybrid-analysis.com/sample/ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16
Result
Gathering data
Verdict:
Malicious
File Type:
vbe
Link:
https://opentip.kaspersky.com/ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16/results?tab=lookup
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1824219
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Windows Shell Script Host drops VBS files
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1824219 Sample: 266714718-053055-sanlccjava... Startdate: 02/12/2025 Architecture: WINDOWS Score: 100 51 www.themonthlychoice.com 2->51 53 diasimoveis.com 2->53 55 8 other IPs or domains 2->55 67 Suricata IDS alerts for network traffic 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Yara detected FormBook 2->71 73 8 other signatures 2->73 12 wscript.exe 8 2 2->12         started        16 wscript.exe 1 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...\wSeizCMimXyqXED.vbs, ASCII 12->49 dropped 87 Suspicious powershell command line found 12->87 89 Wscript starts Powershell (via cmd or directly) 12->89 91 Windows Shell Script Host drops VBS files 12->91 93 4 other signatures 12->93 18 powershell.exe 11 12->18         started        21 WmiPrvSE.exe 295 12->21         started        23 powershell.exe 16->23         started        signatures6 process7 signatures8 61 Writes to foreign memory regions 18->61 63 Injects a PE file into a foreign processes 18->63 25 MSBuild.exe 18->25         started        28 conhost.exe 18->28         started        30 conhost.exe 23->30         started        32 MSBuild.exe 23->32         started        process9 signatures10 83 Maps a DLL or memory area into another process 25->83 85 Unusual module load detection (module proxying) 25->85 34 IxbjDhwS02Z.exe 25->34 injected process11 signatures12 65 Maps a DLL or memory area into another process 34->65 37 sxstrace.exe 13 34->37         started        process13 signatures14 75 Tries to steal Mail credentials (via file / registry access) 37->75 77 Tries to harvest and steal browser information (history, passwords, etc) 37->77 79 Modifies the context of a thread in another process (thread injection) 37->79 81 4 other signatures 37->81 40 qoTN7W8k.exe 37->40 injected 43 chrome.exe 37->43         started        45 firefox.exe 37->45         started        process15 dnsIp16 57 diasimoveis.com 3.33.130.190, 49697, 80 AMAZONEXPANSIONGB United States 40->57 59 www.themonthlychoice.com 52.223.13.41, 49698, 49699, 49700 AMAZONEXPANSIONGB United States 40->59 47 WerFault.exe 4 43->47         started        process17
Verdict:
Malware
YARA:
1 match(es)
Tags:
DeObfuscated Obfuscated Scripting.FileSystemObject T1059.005 VBScript VBScript Encoded WScript.Shell
Link:
https://app.malva.re/file/ddd084b6d5f0411d8ab3a900b13b7767
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16/
Verdict:
Malicious
Threat:
Trojan-Downloader.JS.Cryptoload
Link:
https://tip.neiki.dev/file/ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ysndruoyzcm22oikplwckypjx3utkw56mrp3fhbi37awytjvila._file
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/251202-kjbjtafw5e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Formbook payload
Formbook
Formbook family
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee24d1c68ec6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Formbook

Visual Basic Script (vbe) vbe ee24d1c68ec644cd69c853d7612b0f4df749aaddf322fd94e146fe0b6269aa16

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3723216/

Comments