MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e
SHA3-384 hash:	42c8b40c5cd3f085c4a9acd4db1efdd9981af02fc0b3defc84d3a1c2707acae35e1f7f7cab7bf9dd4cd37cdc5e212dbc
SHA1 hash:	e0add5d8aab35e577ce1389d92f9f8e1a79b422c
MD5 hash:	fce59338a8d3c0f8a231f96eaa0b63b0
humanhash:	jig-sierra-orange-ten
File name:	TQ SAMSUN - SHIP'S PARTICULARS.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	623'104 bytes
First seen:	2023-10-13 20:10:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:OtCvo0bw+cGfQEMQ06WpIvlbjoW1VkosSbiFNdGSBMp8RHc9eJpZgi+xJjc:OtCvo0s+TfJM16iIvVoWfr8N2D9u7+vw
Threatray	75 similar samples on MalwareBazaar
TLSH	T1DFD42251B0649667D6A71F73ED6A050F0FB443221974C6D8ECF932FAACC6F915AC2123
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):
dhash icon	04c0e0ecc8c4c408 (9 x AgentTesla, 2 x Loki, 2 x Formbook)
Reporter	abuse_ch
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

311

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

TQ SAMSUN - SHIP'S PARTICULARS.exe

Verdict:

Malicious activity

Analysis date:

2023-10-13 20:12:20 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/a0ab2606-4ea1-40c9-82f3-1f9691f8eb5e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Porcupine.Malware.58887.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a process with a hidden window

Creating a process from a recently created file

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6529a45b8d16e62970c54e4a/reports/30a4cd0f-f398-4a5a-82f2-c282ac7321ae/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6b9db91f-3c93-4626-97ae-f7e91a7c98e7

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1325472

Signature

Adds a directory exclusion to Windows Defender

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e/

Threat name:

Win32.Trojan.FormBook

Status:

Malicious

First seen:

2023-10-12 04:25:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 23 (69.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fgzdwrn34av77cgxdc54l7jrgdinucabkb746rux32by6evdgapa._file

Verdict:

malicious

Label(s):

formbook

Formbook

28375a1b1f2ea0e88846a60930ad76d4c68bd3f0545daebced5fb64fca085616

Formbook

2b2ed2623c8b0e1867fe816928be401f482453d8e6e7922660fa4fe9695127c0

Formbook

382569a59d1fb65e1d9a987191305ede9fc0f51219ec1b6dc281e21bf1e53db2

Formbook

541d7866b5be3211823382c2f1de6bfb40e3830e7c442764f69075ba923d7d9a

Formbook

75a9fc79b2513a8964a0dcf3a0749a399a857d3feb2fa3c0d62de6f51ea5971f

Formbook

aff3c6ff3ee41b9772f8e47332a9a6a4681c65b5fa0abb51a621d628fe2f89bd

Formbook

c8827b3385b4cfc8e31913a78e7e108ffeaa2cad099ccc49d4cb2c26edc5a910

Formbook

cc74e95443838d54168e736be39859926097fd7da7606b6ef4d8bfb794303eff

Formbook

+ 65 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/231013-yx9wesaa58/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Checks computer location settings

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

5ec2db7731d55e932432b2ddfc4587d20a6abfb77699d24aa7dc5ab16b078bd4

MD5 hash:

e605e4995babfb835c676729e26e7256

SHA1 hash:

b2827dedacbf29aeabdb4d4ad30cabd87e646a9a

Detections:

win_formbook_w0

win_formbook_g0

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

Parent samples :

28375a1b1f2ea0e88846a60930ad76d4c68bd3f0545daebced5fb64fca085616
95216d71fff102892599ac2c3e12742cc687eb8ab3eecb475366f69a38297511
29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e

SH256 hash:

8f5c0c2eb2e763b06d10926f06ebbfc411e58bcabcb0a0a39257421e3ade308f

MD5 hash:

d04d4754040256cfad2c243631de5125

SHA1 hash:

5ebe5172272b91403ebf8ae5aa4c6a2d1630dc87

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

b1270dc9ec3f22c6fd2296239426ac7c48589589580d4a1b3da8188920b22a63

MD5 hash:

5c904da8528cfb1b87b15a6aa7c059cd

SHA1 hash:

f0a192969485d1bc34bf52adf37d9c20176d6b85

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

ffabc13f7fad5bea21ab9b04b5c04700394db8ec812f01af098dfbd213b0cded

MD5 hash:

bb95d7e54d7271723c25cf89f5bc63fc

SHA1 hash:

c00a879d8c2bf1d1600387eee96b70f53fa53a39

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

a9334ba2cfdbd5d3f7ae3b54f65f3c8b6e257bbba994acf32516947cfa5f21f8

MD5 hash:

1ce0be5928c1e8c021a408686c645e96

SHA1 hash:

089465f03e154ef0b26e186221b5580087484a19

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

55fdf0890447c2187941df6485df4d5e2411c2c23b081f9eeeaa1c5bd6bb93db

MD5 hash:

7b0cdfd005f5bc6fb2473ed7f4fa9205

SHA1 hash:

e8237413710ccd4451e6820f5aa36d8dedc1f08c

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

d29ea9d16256a65f86431ea6ed54d3514d78777c00b2e971114cff661cc790f6

MD5 hash:

09833f7866a615d6139df7f3f316c525

SHA1 hash:

bdf14cc3d715f5ffe841f3c4ea44adfb9bae48a9

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

f31a50eb4cc67421a777f6c9244caa4b748448e911d1701b14bb0902389d5106

MD5 hash:

dc8c8ca6560a171633d7657b7fc6ab73

SHA1 hash:

b4f121ce0ffa31d115966fe7c14734a049c0b927

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

d33ae642b878d00345241c20479626bd41c7e36a7951a5de36d069436baa251f

MD5 hash:

61f876687414eaebdff15ddb97d611ac

SHA1 hash:

b47b384f4fae3388cb4e2dfd961939a69e698c3a

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

de4a17f970413ed2982f51fc586fcc9a627ca0eb87f7b44224625c4d2ba97ec6

MD5 hash:

e398764516a76757692e78d108deb375

SHA1 hash:

4c43dfb40a616f0179108264087feb2d7c3bdeb4

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

c379867da74a51f02a01b1802ceb2113b83e7376dffbe69b8bdfb81795ff6b41

MD5 hash:

3416e8378588462de9bceb9fdf45251a

SHA1 hash:

04c285ceade79165b6d0cecdcbd61605b5f725ef

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

SH256 hash:

29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e

MD5 hash:

fce59338a8d3c0f8a231f96eaa0b63b0

SHA1 hash:

e0add5d8aab35e577ce1389d92f9f8e1a79b422c

Link:

https://www.unpac.me/results/f180ac2c-ff77-4afe-a646-89aa38fda758/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/29b23b45bbe02bff88d718bbc5fd3130d0da0801507fcf4697de838f12a3301e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample