MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9
SHA3-384 hash: 4279a854e22ed877fd348483d8d86ce28cef793865ef0aa43b85458a7661a0d76d3898cdfdd0ea804544657fc51aa37d
SHA1 hash: 6aa2e46a3d5f884cc76d426f79e6e6bfc5c6527a
MD5 hash: b977fae3cb27f46ae8ad36023eafe1bd
humanhash: robert-lamp-helium-bakerloo
File name:PO.xll
Download: download sample
Signature Formbook
Create hunting rule
File size:566'784 bytes
First seen:2022-04-15 07:02:37 UTC
Last seen:Never
File type:Excel file xll
MIME type:application/x-dosexec
imphash a31761b5a590c4c499d5f4a347d75c12 (23 x Formbook, 17 x AgentTesla, 6 x RedLineStealer)
ssdeep 12288:Vn/zDvGHAykHSzLW/4+8bzbBSreMdEPMgFK/UqW:ZzbGHAzHAjX1IcL
Threatray 118 similar samples on MalwareBazaar
TLSH T1C2C48D57F7C7FAB0E6BE827A86B1891C527774520260A78F674072896D23392493DF0F
TrID 58.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
34.3% (.OCX) Windows ActiveX control (116521/4/18)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.3% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:FormBook xll

Intelligence

File Origin
# of uploads :
1
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.xll
Verdict:
No threats detected
Analysis date:
2022-04-15 07:04:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/18a36bfc-f12c-4632-932d-229bf50320c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Artemis4EBC548DF517.17970.15145.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
Office Add-Ins - Suspicious
Link:
https://app.docguard.net/29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9/results/dashboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed packed wacatac
Link:
https://www.filescan.io/uploads/625918a8eab80a7a6c19ee2f/reports/0ece7c1f-f107-4bf4-9ed2-bd3d0b536cbb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9/
Threat name:
ByteCode-MSIL.Trojan.ExcelAddin
Create hunting rule
Status:
Malicious
First seen:
2022-04-15 00:46:58 UTC
File Type:
PE+ (Dll)
Extracted files:
3
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgrfc72ech3lyhw6rfzklfn4ygycsjmf5lrrk6m5vmnct325b6uq._file
Verdict:
malicious
Similar samples:
0c425d6c6bce93fad4f32c275db574e8b3161a1ae55a9a957d50020b516d3e2c
Formbook
0ef5f84a6608bc85058740063ba211f2d7da26883266aed349531c9678d29d55
Formbook
226626815bd89794755b446ad9ab17aed9287f970e5aed3d184dc34e1ec34e8a
Formbook
2d9035fccfa410259c75bb54edc9c95c2d736e6bdf87832fc2062dcd89286b39
Formbook
30980176792fc176767dfd338ef7fd0b73f04b66cd63e1e3b0bbf485bc064ed4
Formbook
5f1beab27690a8ea9b9be78c5d34dd852dd3af4f5128feace84d1b2e10d73b59
Formbook
60ff338c7b23bc6defd3d1def5d47bb9480e1ea680783f1da6a498bac0d9ef65
Formbook
676ba4f2375a2e7c7dcd4949090db27254ddf06d5d8dc6ef88072ebef8a97784
Formbook
b2991de24bb7a821f3baf980d08ce4bb3d6bd851fefe846147a563340d398d73
Formbook
e0a8a096299e8b28d1166af3321045635294e03227d45515f5c48f4fd38e943b
Formbook
+ 108 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:emm4 loader rat suricata
Link:
https://tria.ge/reports/220415-hvhq6aagbq/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Downloads MZ/PE file
Xloader Payload
Process spawned unexpected child process
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:t0_1
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Excel file xll 29a2517f4411f6bc1ede8972a595bcc1b0292585eae315799dab1a29ef5d0fa9

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments