MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc
SHA3-384 hash: a2790141224718734ae8a73ec891fdcd2df8dff0c46bf86feae1c5b2ad69a78b4180e1f196fc14246d667559086be220
SHA1 hash: 639c56e56ba08ef28e14697dc8c594451e5cbf0d
MD5 hash: 0496ff74673806173f315fe6f27249c8
humanhash: maryland-jig-white-solar
File name:Tyrone.dll
Download: download sample
Signature Formbook
Create hunting rule
File size:555'008 bytes
First seen:2024-09-21 11:38:14 UTC
Last seen:2024-09-21 11:38:56 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 12288:yxMb7yNKrs3xGBLbj9tY2hFnurMgsWcX+:yJGBfk2hx4Lu
Threatray 4'103 similar samples on MalwareBazaar
TLSH T1EDC4BE15FE66DE1ECF5A8AB3CCD5585453A8C812920BFFDB214202E95D0B7EB8B152C3
TrID 87.2% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.8% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter NDA0E
Tags:dll FormBook geo GRC unpacked

Intelligence

File Origin
# of uploads :
3
# of downloads :
391
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Zusy-10009321-0
Create hunting rule

Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66eeb058f129e67ada902571
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66eeb057800c7315e1cabaab/reports/e6274d25-9c32-43d9-a47e-529280bd5ad1/overview
Verdict:
Malicious
Labled as:
Jalapeno.Generic
Link:
https://www.hybrid-analysis.com/sample/f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7589537a-7d70-4c9a-9ce3-3bccd6123909
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1514928
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1514928 Sample: Tyrone.dll Startdate: 21/09/2024 Architecture: WINDOWS Score: 68 16 18.31.95.13.in-addr.arpa 2->16 18 Antivirus / Scanner detection for submitted sample 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 .NET source code contains potential unpacker 2->22 24 2 other signatures 2->24 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 cmd.exe 1 8->10         started        12 conhost.exe 8->12         started        process6 14 rundll32.exe 10->14         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-09-21 11:39:04 UTC
File Type:
PE (.Net Dll)
Extracted files:
6
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6jnsrm2kz3ymhoeipjpl57lziqhv3vt2cs4ajit32zuhsqqmqc6a._file
Verdict:
malicious
Label(s):
unknown_loader_037
Create hunting rule
Similar samples:
14ce526032b5ba32eee02d91119ed9fe15b9590b18a359d04627e1e97d7a6e86
Formbook
438b026b52bd8b11d0b752f5734bf8a20275a6746a522c4a8179f2f9030c5fb6
Formbook
619285b6785160f940543292ef2bfdd914a99ad87e0a2472e64ff18c78677047
Formbook
79b1315cab839553008486cf182981ce0a36c1755a83e37f7b107cdb7266f0cb
Formbook
f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc
Formbook
+ 4'093 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/240921-nr99wszhrq/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc
MD5 hash:
0496ff74673806173f315fe6f27249c8
SHA1 hash:
639c56e56ba08ef28e14697dc8c594451e5cbf0d
Detections:
SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/1a284eca-5b5d-4fbe-b258-13c9eeb8881f/
Parent samples :
619285b6785160f940543292ef2bfdd914a99ad87e0a2472e64ff18c78677047
f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

gz 1e3ccb19666b70e023fa65f1f259d1db3effef1c29fc139197a328297bc8f133

Formbook

Executable exe 619285b6785160f940543292ef2bfdd914a99ad87e0a2472e64ff18c78677047

Formbook

DLL dll f25b28b34acef0c3b8887a5ebefd79440f5dd67a14b804a27bd66879420c80bc

(this sample)

  
Dropped by
SHA256 619285b6785160f940543292ef2bfdd914a99ad87e0a2472e64ff18c78677047
  
Dropped by
MD5 871432f8f85b81286593553a62c178d2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments