MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
SHA3-384 hash:	bccd7d3e06637a21ae99bc531d836c2899d35f5662a01bacf7d7448319d5b3d041c4ab7ccb0971138bfb7cafa6e94bf9
SHA1 hash:	ec7d99893f490a1278cc44d15dbcd4e4913411c1
MD5 hash:	101d83cd768b6024fad35f48be05f195
humanhash:	triple-emma-double-mirror
File name:	obizx.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	543'232 bytes
First seen:	2021-11-19 21:44:35 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:8ThtD00Lu5fPNEAs4xPb5UZKGuo0Ft5loH:qhC0+N9FPiZgoWloH
Threatray	11'391 similar samples on MalwareBazaar
TLSH	T16AC4018037EC5786DEB88BF80A71C85123717D1B59A9D65EADC621CE0435F40AB62FB3
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

obizx.exe

Verdict:

Malicious activity

Analysis date:

2021-11-19 21:52:16 UTC

Tags:

trojan formbook stealer

Link:

https://app.any.run/tasks/e051b6ea-e18b-488a-a904-db1daaabd4fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Gathering data

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1104.13365.1678.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Unauthorized injection to a recently created process

Creating a file

Searching for synchronization primitives

Launching a process

Сreating synchronization primitives

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61981ae243e8f62b669afb9b/reports/49f5bbb0-8433-441a-bb2c-5cbf99c57a1a/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/01ac6269-e736-4d8c-a161-fcc8e9c4d533

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/892948

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Self deletion via cmd delete

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected AntiVM3

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-11-19 16:34:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

19 of 27 (70.37%)

Threat level:

5/5

Verdict:

malicious

Label(s):

formbook

Formbook

425d46c51bf681a37b1f34a602ebf6c7f571060bf698e70f2fd495169f804f92

Formbook

5aad7a3f3d55c4741d8a79b59e0e9f922d375adab9f998ababc03a88a2feb27c

Formbook

754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230

Formbook

b7602e7d309795640e020a679f93dfd3cb890bc9073a8ead233ab5323c6e0551

Formbook

f0ce3a965f349d9686220460f1e32e3099352990b775521f9db8e45722a38729

Formbook

f6c1dc28509953d4c7df0cd272714f2ba3de92f85b2ba90d071710580f1df635

Formbook

fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf

Formbook

+ 11'381 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ob7y rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/211119-1l3dbabfgk/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook Payload

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

Malware Config

C2 Extraction:

http://www.metanewsroom.net/ob7y/

Unpacked files

SH256 hash:

2da5a77c6251c64099055f36662277c298c83062c5c14dfdd5089319ce85a053

MD5 hash:

a766f9394fe7d0012da3ec32f533f081

SHA1 hash:

428115ad57dcbc26b22c151419509827f31882fa

Detections:

win_formbook_g0

win_formbook_auto

Link:

https://www.unpac.me/results/ef580a20-6355-4d36-85a4-60a3b6e0d20c/

Parent samples :

754a9c7607d3b754e5adab5f2a54a78d7596d2f73096bf4d529012e705cb1230
fd2a0d7069cb20517cf2fafcdc12a7d3bd253a3f15d3bd2a66794acdfa928ddf
d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c
25d0f96b71b8f658d323fd6c0a0ed6051a03b5374324f56ee420fab8f5f5cf97
0626da1000aa221c4f0c47872a0f33eabff9d952bdca540c6e35083e8a0ffabe

SH256 hash:

a3149376c0faec24f9711802230b966a59324c58e1a832f497c62e2f60b79a6b

MD5 hash:

38f238f4944a4e7627bde55a91d2083e

SHA1 hash:

7f2664167a4f01abf75709ad00997aae981f58f6

Link:

https://www.unpac.me/results/ef580a20-6355-4d36-85a4-60a3b6e0d20c/

SH256 hash:

cc5c5860e83b708cd158454165cbeb714767119946049de5aa7677685be75c14

MD5 hash:

83cbea4dec6e5b64a85ee9b6f9ff7598

SHA1 hash:

5c1d12b792c32ba73b7bf2634da5e4d9fbcd7d4e

Link:

https://www.unpac.me/results/ef580a20-6355-4d36-85a4-60a3b6e0d20c/

SH256 hash:

d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c

MD5 hash:

101d83cd768b6024fad35f48be05f195

SHA1 hash:

ec7d99893f490a1278cc44d15dbcd4e4913411c1

Link:

https://www.unpac.me/results/ef580a20-6355-4d36-85a4-60a3b6e0d20c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/d2b010fbc020/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d2b010fbc0202fa72ce504bcf841e117e4e52158c6d97a2830ede547f9f89e6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/207695/

URLhaus

https://urlhaus.abuse.ch/url/1797602/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample