MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd
SHA3-384 hash: e1ac949b754022fbc45c5e3cd3ce2f6e25f8cd54fa7f39d3067c24a86f7a5fe0019370993fb7522b2952328ae6dc35f9
SHA1 hash: b1d7037b0347bd9c8c215270166b0bcd46b8f8eb
MD5 hash: 3da3fb16927c47114ad0bb865c08467c
humanhash: beer-cardinal-fanta-quiet
File name:SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797
Download: download sample
Signature Formbook
Create hunting rule
File size:777'728 bytes
First seen:2024-07-15 05:18:50 UTC
Last seen:2024-07-31 10:24:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:reUDWx2PQf9TtNBY2JgD9WFtJ0m1+Xeb4/E5xdHKcWA6H4J2jqo/ZoM7+SdvKWny:rzawM9TJY3MbJ1gXRUzHKJNH4wnxotc4
Threatray 171 similar samples on MalwareBazaar
TLSH T1C0F4120637E85F58E8BB1BF09274821017B3F1752A36D25F5CE520CC1EB2BD19A5A36B
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 78dc9adce086c460 (9 x Formbook, 1 x SnakeKeylogger, 1 x AgentTesla)
Reporter SecuriteInfoCom
Tags:32x-2024-07-15 exe FormBook

Intelligence

File Origin
# of uploads :
4
# of downloads :
358
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd.exe
Verdict:
Malicious activity
Analysis date:
2024-07-15 05:24:14 UTC
Tags:
netreactor formbook stealer xloader
Link:
https://app.any.run/tasks/57fb29fb-e126-42ff-a875-bbb60fd18df8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6694b147cadc6250d0555370win10vpnfull_triage
Tags:
Execution Network Stealth Swotter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Creating a file
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/6694b147f739ad1636862ab4/reports/b64c7185-18f4-43d8-8d42-d713e99c1cd8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c466653-9413-4cc5-9308-5b7536cf1782
Result
Threat name:
FormBook, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1473157
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Scheduled temp file as task from temp location
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1473157 Sample: SecuriteInfo.com.TrojanLoad... Startdate: 15/07/2024 Architecture: WINDOWS Score: 100 59 www.beescy.xyz 2->59 61 www.yetung.com 2->61 63 19 other IPs or domains 2->63 75 Multi AV Scanner detection for domain / URL 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 83 11 other signatures 2->83 10 SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exe 7 2->10         started        14 jwdzPHVxBgkqwG.exe 5 2->14         started        signatures3 81 Performs DNS queries to domains with low reputation 59->81 process4 file5 51 C:\Users\user\AppData\...\jwdzPHVxBgkqwG.exe, PE32 10->51 dropped 53 C:\...\jwdzPHVxBgkqwG.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp659A.tmp, XML 10->55 dropped 57 SecuriteInfo.com.T....16736.4797.exe.log, ASCII 10->57 dropped 97 Uses schtasks.exe or at.exe to add and modify task schedules 10->97 99 Writes to foreign memory regions 10->99 101 Allocates memory in foreign processes 10->101 109 2 other signatures 10->109 16 vbc.exe 10->16         started        19 powershell.exe 23 10->19         started        21 schtasks.exe 1 10->21         started        103 Antivirus detection for dropped file 14->103 105 Multi AV Scanner detection for dropped file 14->105 107 Machine Learning detection for dropped file 14->107 23 vbc.exe 14->23         started        25 schtasks.exe 1 14->25         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 27 LkVZDUZhelJOQAvKPBQijk.exe 16->27 injected 73 Loading BitLocker PowerShell Module 19->73 29 WmiPrvSE.exe 19->29         started        31 conhost.exe 19->31         started        33 conhost.exe 21->33         started        35 LkVZDUZhelJOQAvKPBQijk.exe 23->35 injected 38 conhost.exe 25->38         started        process9 signatures10 40 sethc.exe 13 27->40         started        85 Maps a DLL or memory area into another process 35->85 87 Found direct / indirect Syscall (likely to bypass EDR) 35->87 43 sethc.exe 35->43         started        process11 signatures12 89 Tries to steal Mail credentials (via file / registry access) 40->89 91 Tries to harvest and steal browser information (history, passwords, etc) 40->91 93 Modifies the context of a thread in another process (thread injection) 40->93 95 3 other signatures 40->95 45 LkVZDUZhelJOQAvKPBQijk.exe 40->45 injected 49 firefox.exe 40->49         started        process13 dnsIp14 65 www.beescy.xyz 162.0.213.72, 49771, 49772, 49773 ACPCA Canada 45->65 67 double2nllc.com 157.173.209.16, 49755, 49756, 49757 SSHENETUS United Kingdom 45->67 69 12 other IPs or domains 45->69 111 Found direct / indirect Syscall (likely to bypass EDR) 45->111 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2024-07-15 02:52:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmu25nwo5tbxqknuby3psgsgedl6bkxbnmoo5jylw4atlyirok6q._file
Verdict:
malicious
Similar samples:
412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31
Formbook
5e7b9b88f18be7d07963c53f18b3bf473f5e05ff30817c10538214292ae846f7
Formbook
619b4e680f74f6c69a48837fd9ee5851be850035c46c12aaf0669139d1061de8
Formbook
c03cbc0d8f90a201b6f78f90ea7cd426b10ad0070fc4220ba34ad4e6f789b2fa
Formbook
+ 161 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence privilege_escalation
Link:
https://tria.ge/reports/240715-fzt9mszcpj/
Behaviour
Modifies Internet Explorer settings
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Suspicious use of SetThreadContext
Checks computer location settings
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7dc9109e-2f0e-4a3c-8097-90ff06bb0046
Unpacked files
SH256 hash:
ecd942960bdf6229e36999829d08e39b3df911ffe1aa876ff5e10c758e15aef9
MD5 hash:
937929fba94bbcfba33e5f07894b0211
SHA1 hash:
4b4a1bdd10b05d634a2ed633c11a7a1980d925c5
Link:
https://www.unpac.me/results/dfdcf4eb-9ec6-4177-89de-7e5a2615f85c/
SH256 hash:
8309221b129494e58b531e1bb54e12b89d9d2914d893fe831dd19b099aba7331
MD5 hash:
b36c15e967699b292c6aec154f26ba7e
SHA1 hash:
a55f9f93e516b0edf9c69f94eb5df5984ee83a60
Link:
https://www.unpac.me/results/dfdcf4eb-9ec6-4177-89de-7e5a2615f85c/
SH256 hash:
889e804f4fddd39dfa81f31fc52aa59f0d35e89f950264d843fffb65680a2619
MD5 hash:
39f50751db172da75a865312b5a55904
SHA1 hash:
dcb952f80e42a2585bfc08d14281fdc07f5d13fb
Link:
https://www.unpac.me/results/dfdcf4eb-9ec6-4177-89de-7e5a2615f85c/
SH256 hash:
1bb4840538b8a367866894b14c4aa62c2905fe4ec8ebd633fb8c8c8864a37293
MD5 hash:
222df17caf2704d5edc6772d672cd705
SHA1 hash:
27851dd2812599b460335dd978110260fda327e1
Link:
https://www.unpac.me/results/dfdcf4eb-9ec6-4177-89de-7e5a2615f85c/
SH256 hash:
1914c8b4758afa32360cf0d8bdb9e22702af25252404dacd6188c7574948feff
MD5 hash:
4c88049b15b8948db110a66c4210bf1b
SHA1 hash:
057d27b8dd4ef39aaad8b9154244397a5ff2110e
Link:
https://www.unpac.me/results/dfdcf4eb-9ec6-4177-89de-7e5a2615f85c/
Parent samples :
d43fa50daa883b42bb53678fcb1a9e956bbdb6bb6256ddaefcf5e4dadad450dd
0955e1c717cfb3cc4b97d2e22f2e1f6493b6afa62f94e8d068baa3946f47f820
5474194c07b4f0b5144069d189cd55adfd2e9e8e89bbbdba6153e173a094ff42
SH256 hash:
bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd
MD5 hash:
3da3fb16927c47114ad0bb865c08467c
SHA1 hash:
b1d7037b0347bd9c8c215270166b0bcd46b8f8eb
Link:
https://www.unpac.me/results/dfdcf4eb-9ec6-4177-89de-7e5a2615f85c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bb29aeb6ceec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb29aeb6ceecc37829b40e36f91a4620d7e0aae16b1ceea70bb70135e11172bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments