MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba
SHA3-384 hash: 190ff0284a1149bb27910fb3f11a5c6ddb5fb492db1b3348876f36eb2fead1fe98108f4708f55f4d5263d093acabd3fe
SHA1 hash: 584dbf9739eee88ad51030154c64844186d17a3a
MD5 hash: 83ccc444bf7e44e2ed9142e5c975e1dc
humanhash: xray-august-failed-victor
File name:TransferenciaInternacionalemEurosparaPaisesSEPA.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:162'304 bytes
First seen:2022-02-15 10:19:11 UTC
Last seen:2022-02-15 11:47:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:ziQ+B1Y7pOdaPm7z24hMMUcwIeuatsOMoMpY62h+f6XgZPGM:ziQ+d20MMUDjaxoMegfGM
Threatray 13'446 similar samples on MalwareBazaar
TLSH T19FF3FCB4B6D0A917D030C23748924ECB12FC9D506AA21A1EED847727D8F5ECA7945EF3
File icon (PE):PE icon
dhash icon 33cc9af2f29acc33 (2 x Formbook, 1 x CobaltStrike, 1 x LummaStealer)
Reporter FORMALITYDE
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241580/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.38503.14691.4939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620b7e58a2660f3bb9d974d5/reports/466b98fe-8374-4f79-8310-d2c8ad5b9796/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ace6dfcb-d135-41ad-b7be-e053d68f2304
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940015
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 572493 Sample: TransferenciaInternacionale... Startdate: 15/02/2022 Architecture: WINDOWS Score: 100 38 google.com 2->38 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 8 other signatures 2->52 8 TransferenciaInternacionalemEurosparaPaisesSEPA.exe 16 6 2->8         started        13 PotPlayerSetup.exe 14 4 2->13         started        15 PotPlayerSetup.exe 3 2->15         started        signatures3 process4 dnsIp5 40 52.161.2.12, 49754, 49774, 49785 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->40 42 www.eyeanddesign.com 8->42 44 3 other IPs or domains 8->44 32 C:\Users\user\AppData\...\PotPlayerSetup.exe, PE32 8->32 dropped 34 C:\...\PotPlayerSetup.exe:Zone.Identifier, ASCII 8->34 dropped 36 TransferenciaInter...aPaisesSEPA.exe.log, ASCII 8->36 dropped 56 Tries to detect virtualization through RDTSC time measurements 8->56 58 Injects a PE file into a foreign processes 8->58 17 conhost.exe 8->17         started        19 TransferenciaInternacionalemEurosparaPaisesSEPA.exe 8->19         started        21 PotPlayerSetup.exe 13->21         started        24 conhost.exe 13->24         started        26 PotPlayerSetup.exe 13->26         started        28 conhost.exe 15->28         started        file6 signatures7 process8 signatures9 54 Maps a DLL or memory area into another process 21->54 30 explorer.exe 21->30 injected process10
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-02-15 10:20:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
34fc8a270fda2856448cb455e3dca4d8210f5e83f25f1fa8339d8f428a449466
Formbook
35f9dd17bfe8b62676bead6a48638b65fd2372b9699cd7572b58e12192143849
Formbook
3c3ef93ea804d5d80ecbdb244ddf7fe2ab657f54089a397f0c79d89dfef5c95c
Formbook
5dde67093b891df286e998912557fa598ebebc662bb30252fbe9ce7798e50242
Formbook
5f079a7612eb05e8574d8604154ea233b8da905cc59ba6fbaa4485c99fc2933e
Formbook
60bf53eb4a1c93e2956fb3bb5f60a18579aeb270206ce6c4a3b32c6c4e9165d2
Formbook
79215526b0229696bf3961e09918bca444cb43b079ca70834c54db52c49c51ac
Formbook
9767d52eebfbf17f2e549a57d68d7f11c199af327eeb20542b39485f883f61e1
Formbook
b972dfd3f5fd6142b67366d223c0056b75d3d93538a7c05ce35e27ad1c9541ed
Formbook
+ 13'436 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:xloader campaign:dcdf loader persistence rat
Link:
https://tria.ge/reports/220215-mc4ywsdgc8/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Xloader Payload
Xloader
Unpacked files
SH256 hash:
29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba
MD5 hash:
83ccc444bf7e44e2ed9142e5c975e1dc
SHA1 hash:
584dbf9739eee88ad51030154c64844186d17a3a
Link:
https://www.unpac.me/results/2fd65bc2-9afc-43ab-be2a-8d318e45589e/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/29d23710bef2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 29d23710bef2e9821a27d4d0a74305d582ba41d206d3b48b6762e4f3d78b19ba

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/241580/

Comments