MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8936c1cd18e085f39f8cb1c4ebacd04573a291e555d420acfb4845320e401aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8936c1cd18e085f39f8cb1c4ebacd04573a291e555d420acfb4845320e401aae
SHA3-384 hash: d5b7eed95c6d98b74720f315dbb26f07aa9d42e80fccb0fef1b6abb06cc641bbd739bd3e89249431f79d7ed05b7b39bb
SHA1 hash: 989b504c0206753e5f5e7d4e9ed1370c7561959c
MD5 hash: 0defc11a963d8c25ab22aeccefed7564
humanhash: eleven-purple-oscar-emma
File name:obizx.exe
Download: download sample
Signature Formbook
Create hunting rule
File size:555'008 bytes
First seen:2022-04-22 13:44:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:hVy+5c8Xy0Ld1mkEzi+xmMJryTi4RWCQldzLLWoMv786MKAYtv/h:bL5c8Xy0J1Ii+xm0dCQldzLLDMvB3Bdh
Threatray 15'133 similar samples on MalwareBazaar
TLSH T1C3C412113BB4C2A1C87DFBBA64C2254B93F5CA63630D938D1D67627B7961380125E78F
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter James_inthe_box
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265830/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.57965.14276.6781.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/6262b1631d3278f8e30fad76/reports/66d16037-d19a-4ce4-86d4-de3e94e7a4c8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f3c4344-e1ab-4ea8-bbfe-03d78a2c14c4
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/981423
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Self deletion via cmd delete
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 613909 Sample: obizx.exe Startdate: 22/04/2022 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 6 other signatures 2->42 10 obizx.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\obizx.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 obizx.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.vpdigittmailserver.agency 17->30 32 www.iberso.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmd.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
Detection:
formbook
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8936c1cd18e085f39f8cb1c4ebacd04573a291e555d420acfb4845320e401aae/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 12:51:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=re3mdtiy4cc7hh4mwhcoxlgqivz2fepfkxkcblh3jbctedsadkxa._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
043b45f9d94820186d7324c5f6e0fd7661de15ad29104fd43294e2f3839efa06
Formbook
2c797f8b23257f74c2dd577dad2c2c6cdab90dfa57a57f2f89a8a54036c6852c
Formbook
3662913e3004f6e3811499a9877265b55fd4b99400607d2f4b4168dc2621f1ab
Formbook
3bc25439a27fa2e9385f42bfc9b9a6caa56dc076ccc07fd2aa4684c0292c9622
Formbook
4cc5a0fb10d6235a197da2d08df9af6afae59ceaffb0c7054cfb087eb5c039b6
Formbook
5aad7a3f3d55c4741d8a79b59e0e9f922d375adab9f998ababc03a88a2feb27c
Formbook
8ddc14ac94185fbe27b3764fb4e24fd8c25626a465074e8f640955a6f3409c08
Formbook
8e079aa4afe26627a784ac447071b5dcd460ba1393851199e21da312a6ff2f18
Formbook
92c90d735148f7fd056e2d53bf44239f3fdab6b029e78d3ed6077d9c7f40aef2
Formbook
b8c628fdb35b1082bfe51ee070939de02a265a74adc8c4b35552076cd8dde378
Formbook
+ 15'123 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook campaign:o20a rat spyware stealer trojan
Link:
https://tria.ge/reports/220422-q2dd1scfe3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Deletes itself
Formbook Payload
Formbook
Unpacked files
SH256 hash:
ecce2bf50ed76bb4fd4bdaf8d70fa44f0376c69ce02b08cda769ce9ccae021da
MD5 hash:
596b01695d848ea1b59c443c1a25ea64
SHA1 hash:
053a984a05393ec355c484c92614215f2d2cc33b
Detections:
win_formbook_g0
Create hunting rule
win_formbook_auto
Create hunting rule
Link:
https://www.unpac.me/results/9896c295-0f95-4a48-b4ad-73486934584d/
Parent samples :
8936c1cd18e085f39f8cb1c4ebacd04573a291e555d420acfb4845320e401aae
95c30ee77cf4d9e39a29a1dff147a9154b0dd7a6499b9deae1537d3ecabf4774
SH256 hash:
1e9d8f1631b81431aed42baadce0dbb785df7c4dfed86cf9695e38e840a80899
MD5 hash:
307d05c3b9a1f29d1d07dbf61872538a
SHA1 hash:
ccfa793550a2f47d53f194dfc19b40403e7394c3
Link:
https://www.unpac.me/results/9896c295-0f95-4a48-b4ad-73486934584d/
SH256 hash:
9b33aaa1c16dbf179b23e71bec8769068ed81d0ede0ed70664796585cc3c3915
MD5 hash:
489646bf337d53053fc859324c87fcd2
SHA1 hash:
3e1ef86966e12b5b6dc79965c5e955c4960bf9a5
Link:
https://www.unpac.me/results/9896c295-0f95-4a48-b4ad-73486934584d/
SH256 hash:
8e1b71477c489cbc954c8d54d08284f759ab2cd1b65050128ecbda9ebe16904d
MD5 hash:
b477c0f043954b457d5f0f91327ec606
SHA1 hash:
0db8774ef3e2b8245504f66a35afcf987ebdaaba
Link:
https://www.unpac.me/results/9896c295-0f95-4a48-b4ad-73486934584d/
SH256 hash:
8936c1cd18e085f39f8cb1c4ebacd04573a291e555d420acfb4845320e401aae
MD5 hash:
0defc11a963d8c25ab22aeccefed7564
SHA1 hash:
989b504c0206753e5f5e7d4e9ed1370c7561959c
Link:
https://www.unpac.me/results/9896c295-0f95-4a48-b4ad-73486934584d/
Malware family:
FormBook
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8936c1cd18e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8936c1cd18e085f39f8cb1c4ebacd04573a291e555d420acfb4845320e401aae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/265830/

Comments