MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09
SHA3-384 hash: f8c391a933d09074ad84cad70fe19c558e5f1ef3777911c47e6bed167ebdb9680376a2b078965940d1539bacdb13f4ca
SHA1 hash: 4e7ad956203d7d3941e2b841b785b545bfb53391
MD5 hash: 73e0e3d0b85c3a6a6f212060d2128daa
humanhash: hotel-diet-west-stairway
File name:Tyrone.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:556'032 bytes
First seen:2024-09-26 11:58:15 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:TmRn7RNMpjuZddnMWIwHGOTFbdDc6h9yHsCGVaP1LSaov2jv:KyjPwHbT/Dv9SGVsdSz2jv
Threatray 3'620 similar samples on MalwareBazaar
TLSH T10AC4BF04FE66DB1ECF5A8AB3C6C64C4497648552ED0BF79B214102E5AD0B3EF8B192C7
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter NDA0E
Tags:AlphaBank dll FormBook geo GRC unpacked

Intelligence

File Origin
# of uploads :
1
# of downloads :
399
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f54c8856c487103d52c970
Tags:
Malware
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66f54c8ff71b9c224c1327e0/reports/5db8919c-19b7-4a8e-b7f6-f980a78b65b8/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0c54f95c-7b4b-4dfe-ad39-54d4ebfb57a8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1519412
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1519412 Sample: Tyrone.dll Startdate: 26/09/2024 Architecture: WINDOWS Score: 60 15 Antivirus / Scanner detection for submitted sample 2->15 17 .NET source code contains potential unpacker 2->17 19 Machine Learning detection for sample 2->19 21 AI detected suspicious sample 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-26 12:10:14 UTC
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fg5jh5fep6apbicakdr5x5kwdd6cukst6vgbh57extf3nrfxrqeq._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09
Formbook
43cf51d44bd94222fafaec38a2c80b0fbbecf761ed1cfba369e8e174fc157fb4
Formbook
8c8cad5c12f471f42d5992e71bd32478aedb40af922b03ef4920047012c04d1f
Formbook
8d68ad78eb364b147233b29bbeab6309a47289090ca2672e90fb299a37111f62
Formbook
b5126fd0fbb2ecd8fb2b32b606a4e8ab867bc0758e146d14c88440c1ac9c8f60
Formbook
+ 3'610 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240926-n5qgmsyglg/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09
MD5 hash:
73e0e3d0b85c3a6a6f212060d2128daa
SHA1 hash:
4e7ad956203d7d3941e2b841b785b545bfb53391
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4909ef4d-e834-442e-b4ae-ccdc67856426/
Parent samples :
1a375dd13598cd93e502e68f84236b536b9333fc9f1f2db88f2bbbbc67dd04c4
29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz e5c67222d2b4ad2bcd23d2313240748059be51c81250701e2bbfcac0dd27c684

Formbook

Executable exe 1a375dd13598cd93e502e68f84236b536b9333fc9f1f2db88f2bbbbc67dd04c4

Formbook

DLL dll 29ba93f4a47f80f0a04050e3dbf55618fc2a2a53f54c13f7e4bccbb6c4b78c09

(this sample)

  
Dropped by
SHA256 1a375dd13598cd93e502e68f84236b536b9333fc9f1f2db88f2bbbbc67dd04c4
  
Dropped by
MD5 25e0c13b707f3ebce3f35e806ac547d7

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments