MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
SHA3-384 hash: be67e0bf24877fc61b49209419b9fec679dd83871a47af0117157ac44096610bac997bc1e9f771bdefd751df0b810016
SHA1 hash: 993e4e36fe6718e67d616d6662e1624e831c020e
MD5 hash: 90cafbae85d97e06bb4d20f1283dd5b8
humanhash: august-july-johnny-oranges
File name:IMG0038.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:1'311'744 bytes
First seen:2021-09-01 07:31:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'453 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:lOGA8h16GMR06hLnLNXxKKWaGQy6C7xd1St8cBipFcUIZnSZ0MXAGfF:HAm6D06hV7GQy6C7o8c+WNSZ0l
Threatray 8'723 similar samples on MalwareBazaar
TLSH T12255128E7610759FC627C97BDA981C209A707036570BE243A05325EEAE4E79BCF161F3
dhash icon ae53d212daccccca (8 x Formbook, 4 x AsyncRAT, 1 x NetWire)
Reporter GovCERT_CH
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG0038.exe
Verdict:
Malicious activity
Analysis date:
2021-09-01 07:35:05 UTC
Tags:
trojan rat asyncrat
Link:
https://app.any.run/tasks/d110a016-a25d-48f1-9640-3ecf8db733b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Formbook
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184389/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ca50ab3d-eea7-477b-8dd9-9847df4ef9dd
Result
Threat name:
AsyncRAT FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/843160
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 475591 Sample: IMG0038.exe Startdate: 01/09/2021 Architecture: WINDOWS Score: 100 72 www.lanzamientosbimbocolombia.com 2->72 90 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->90 92 Multi AV Scanner detection for domain / URL 2->92 94 Found malware configuration 2->94 96 12 other signatures 2->96 12 IMG0038.exe 7 2->12         started        signatures3 process4 file5 64 C:\Users\user\AppData\...\UlszDwXwkoOpzV.exe, PE32 12->64 dropped 66 C:\...\UlszDwXwkoOpzV.exe:Zone.Identifier, ASCII 12->66 dropped 68 C:\Users\user\AppData\Local\...\tmp720B.tmp, XML 12->68 dropped 70 C:\Users\user\AppData\...\IMG0038.exe.log, ASCII 12->70 dropped 112 Uses schtasks.exe or at.exe to add and modify task schedules 12->112 114 Injects a PE file into a foreign processes 12->114 16 IMG0038.exe 4 12->16         started        19 schtasks.exe 1 12->19         started        21 IMG0038.exe 12->21         started        signatures6 process7 file8 58 C:\Users\user\AppData\Local\...\windows.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\...\security.exe, PE32 16->60 dropped 23 security.exe 3 16->23         started        26 windows.exe 6 16->26         started        30 conhost.exe 19->30         started        process9 dnsIp10 98 Machine Learning detection for dropped file 23->98 100 Tries to detect virtualization through RDTSC time measurements 23->100 102 Injects a PE file into a foreign processes 23->102 32 security.exe 23->32         started        76 192.168.2.1 unknown unknown 26->76 62 C:\Users\user\AppData\Roaming\RjOECz.exe, PE32 26->62 dropped 35 windows.exe 2 26->35         started        38 schtasks.exe 1 26->38         started        file11 signatures12 process13 dnsIp14 82 Modifies the context of a thread in another process (thread injection) 32->82 84 Maps a DLL or memory area into another process 32->84 86 Sample uses process hollowing technique 32->86 88 Queues an APC in another process (thread injection) 32->88 40 wlanext.exe 32->40         started        43 explorer.exe 32->43 injected 46 autochk.exe 32->46         started        48 autoconv.exe 32->48         started        74 podzeye.duckdns.org 194.233.74.91, 4442, 49709 NEXINTO-DE Germany 35->74 50 conhost.exe 38->50         started        signatures15 process16 dnsIp17 104 Modifies the context of a thread in another process (thread injection) 40->104 106 Maps a DLL or memory area into another process 40->106 108 Tries to detect virtualization through RDTSC time measurements 40->108 52 cmd.exe 40->52         started        78 www.jedshomebuilders.com 43->78 80 jedshomebuilders.com 34.102.136.180, 49721, 80 GOOGLEUS United States 43->80 110 System process connects to network (likely due to code injection or exploit) 43->110 54 autoconv.exe 43->54         started        signatures18 process19 process20 56 conhost.exe 52->56         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-01 03:12:40 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=boffzprdnjyfpiuqj4meqc4fz2nvtoerycq2aqkrmjengv3aorgq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
formbook
Create hunting rule
Similar samples:
3ede9e9bdf0965f93b5351cc4be670b30934bc39aca24a3f3ac5f245f47c5073
Formbook
4ed49588d6356f63895a1674a3ab5351199e4c4a8af4c825cc7d2b7dd79bffbc
Formbook
65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463
Formbook
91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004
Formbook
ab96b6ac9080fe40003b5259931da0e8fae1d5e57d602991d8bb06fa712bdd9b
Formbook
b38eadc0a59ed8405656c9445912f644724ed07ce9086e0183a6b086460f20e6
Formbook
f8e8f64bb17ffb2fea18b7671602a76a8b5734607c7a7ae035dce8eed8381a74
Formbook
f8f02165547227a6692d503cf1203dcaf2d43b58219bb78cb0e42895f49a8121
Formbook
+ 8'713 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:formbook campaign:kkt rat spyware stealer suricata trojan
Link:
https://tria.ge/reports/210901-rgypzmkaxn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Async RAT payload
Formbook Payload
AsyncRat
Formbook
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
podzeye.duckdns.org:4422
podzeye.duckdns.org:4442
podzeye.duckdns.org:4433
http://www.hometowncashbuyersgroup.com/kkt/
Unpacked files
SH256 hash:
405347d2de9de447397e65a4e8f3db934851cfc59941b160c719b4f7d0885a83
MD5 hash:
7c513c89db11c2038fe6be0a0c37f853
SHA1 hash:
fe7e24a11be4cd446bd3dc912488440d1d990db1
Link:
https://www.unpac.me/results/bd1a0853-9700-4c62-86cd-479d0cb04c12/
SH256 hash:
405335460192bce34011f2ca877ee3a4ff9fe17f8607a9120ae8948eee9120c3
MD5 hash:
86e9495b7a6a0460521c8aa028637cee
SHA1 hash:
4dc9573d5a639e787c9902d2cff059a8a4cd183b
Link:
https://www.unpac.me/results/bd1a0853-9700-4c62-86cd-479d0cb04c12/
SH256 hash:
b79bb97ef26e00247841bc1ad84baab9c20c0853150072a01599df969a28ba21
MD5 hash:
f63388e4df88780823c9b29d29b63dc9
SHA1 hash:
2e5334b1c9bc07cce58b858e356433a25d334a13
Link:
https://www.unpac.me/results/bd1a0853-9700-4c62-86cd-479d0cb04c12/
SH256 hash:
115a9a516484e019afb234e2c473cb0cf38cd2f97759887166c6ab375bcec0b5
MD5 hash:
43481e0a93b6db262eb7fe65c1bc9d0f
SHA1 hash:
2614d3bc17ee123f088ac4b78ed0cfb55da537f9
Link:
https://www.unpac.me/results/bd1a0853-9700-4c62-86cd-479d0cb04c12/
SH256 hash:
9a569be1313734a7a5657149f890204e1246833e80ac0e45c15b9ebc972cfa99
MD5 hash:
db1ca79a10eb8debc020653b67a41ed4
SHA1 hash:
c9aff868749946879d85e0c75c11a085d3c244c2
Link:
https://www.unpac.me/results/bd1a0853-9700-4c62-86cd-479d0cb04c12/
SH256 hash:
0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d
MD5 hash:
90cafbae85d97e06bb4d20f1283dd5b8
SHA1 hash:
993e4e36fe6718e67d616d6662e1624e831c020e
Link:
https://www.unpac.me/results/bd1a0853-9700-4c62-86cd-479d0cb04c12/
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0b8a5cbe236a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Formbook

Executable exe 0b8a5cbe236a7057a2904f18480b85ce9b59b891c0a1a041516248d35760744d

(this sample)

  
Dropped by
Formbook
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184389/

Comments