Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1.exe

Overview

General Information

Sample Name:1.exe
Analysis ID:1345564
MD5:60ff6dcfe9ed4741b4ffb91cd3bd6895
SHA1:89bec9456328957250b9ec8b30ec87495ab1a2e1
SHA256:6d923f02c2252e4a2ea98a8685fc5237354e2853791855f1a451a390dd85cbb9
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • 1.exe (PID: 1892 cmdline: C:\Users\user\Desktop\1.exe MD5: 60FF6DCFE9ED4741B4FFB91CD3BD6895)
    • 1.exe (PID: 2136 cmdline: C:\Users\user\Desktop\1.exe MD5: 60FF6DCFE9ED4741B4FFB91CD3BD6895)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • colorcpl.exe (PID: 3716 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)
          • cmd.exe (PID: 2212 cmdline: /c del "C:\Users\user\Desktop\1.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
{"C2 list": ["www.switchtoambitwithmirtha.com/jskg/"], "decoy": ["jajaten.com", "pnorg.net", "rccarquibogota.com", "marcomarabiamea.com", "theligue.com", "mdearpet.com", "barokahsrivillage.com", "wisdomtoothguru.com", "srteamsex.com", "erotictoybox.com", "278698.com", "victimaccidents.com", "bootyfashions.com", "stomasto.site", "canalysisconsulting.com", "printandmail.legal", "bestcureforbackpain.com", "apanifitness.com", "smartabletech.com", "facialsteamerofficial.com", "cookclassesfishes.com", "ayanmobile.com", "cannapharmaus.com", "lactationdrink.com", "enrgsystems.info", "f1leghecodemasters.net", "topazkibblez.com", "appbecause.com", "256barrington.com", "snapmoneyexchangellc.com", "kriolland.com", "7255399.com", "realoneathletics.info", "illustriousevents.com", "moonman.services", "dog2meeting.com", "successwithyolandafgreen.com", "freshlookconsulting.net", "3bcreditwatch.com", "lacroixundkress.com", "beaujolaisboston.com", "breakawayfc.com", "bollmasonry.com", "jiujitsuspa.com", "zirangaobai.com", "capitalmedicalsupplies.net", "swavhca.com", "pereiranatalia.com", "lbarco.com", "revistabrasileiramarketing.info", "carportaccessory.com", "kvrkl.com", "handledlife.com", "groups-post-sales-2678493.xyz", "rapidprintz.com", "buzzkeel.com", "divinityemerald.com", "ppc-listing.info", "coryfireshop.com", "mimipopuppicnics.com", "votehealey.com", "saraadamchak.com", "winwinwin365.net", "tprmt.com"]}
SourceRuleDescriptionAuthorStrings
00000002.00000002.2046232928.0000000001270000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
  • 0xa085:$a2: E9 E8 61 FF FF C3 E8
00000003.00000002.4456583793.00000000103B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
  • 0x43085:$a2: E9 E8 61 FF FF C3 E8
00000004.00000002.4449703704.0000000004C50000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
  • 0xa085:$a2: E9 E8 61 FF FF C3 E8
00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.4449219136.00000000030B0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      Click to see the 31 entries
      SourceRuleDescriptionAuthorStrings
      2.2.1.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.1.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.1.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5371:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x19cb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x89bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x13a87:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.1.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.1.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158a9:$sqlite3step: 68 34 1C 7B E1
          • 0x159bc:$sqlite3step: 68 34 1C 7B E1
          • 0x158d8:$sqlite3text: 68 38 2A 90 C5
          • 0x159fd:$sqlite3text: 68 38 2A 90 C5
          • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C