Edit tour

Windows Analysis Report
Qte2311.exe

Overview

General Information

Sample Name:	Qte2311.exe
Analysis ID:	1345581
MD5:	fde8126bd37c19b5f5d3096012ec9300
SHA1:	e469f910764853a6282199890585ff90921b0474
SHA256:	c3a05d6a46d701f52bad7f04085236bd924e33a7590eca472cf2794cce430374
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large array initializations

Uses runas.exe to run programs with evaluated privileges

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Qte2311.exe (PID: 7420 cmdline: C:\Users\user\Desktop\Qte2311.exe MD5: FDE8126BD37C19B5F5D3096012EC9300)

Qte2311.exe (PID: 7564 cmdline: C:\Users\user\Desktop\Qte2311.exe MD5: FDE8126BD37C19B5F5D3096012EC9300)

Qte2311.exe (PID: 7580 cmdline: C:\Users\user\Desktop\Qte2311.exe MD5: FDE8126BD37C19B5F5D3096012EC9300)

SoZyKEDyfEWrMWEFcBvwSAkabc.exe (PID: 4600 cmdline: "C:\Program Files (x86)\jFJKUzqwKIBdWDkcySLyDBhTBgNTKdOJMfgYJclsrVfAJDMiwJDDVHpOzszTWBY\SoZyKEDyfEWrMWEFcBvwSAkabc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

runas.exe (PID: 7624 cmdline: C:\Windows\SysWOW64\runas.exe MD5: 13646BC81C39130487DA538B2DED5B28)

SoZyKEDyfEWrMWEFcBvwSAkabc.exe (PID: 2312 cmdline: "C:\Program Files (x86)\jFJKUzqwKIBdWDkcySLyDBhTBgNTKdOJMfgYJclsrVfAJDMiwJDDVHpOzszTWBY\SoZyKEDyfEWrMWEFcBvwSAkabc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 8096 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27340:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ab23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16fb2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27340:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27340:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x64054:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x504e3:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x27340:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x137cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x54973d:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x535bcc:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x54973d:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x535bcc:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: Qte2311.exe PID: 7420	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Qte2311.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.Qte2311.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ab23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16fb2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.Qte2311.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.Qte2311.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x29d23:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x161b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 3.2.Qte2311.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Qte2311.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.drtonks.com/	Avira URL Cloud: Label: phishing
Source: http://www.rva.info/u0t4/	Avira URL Cloud: Label: malware
Source: http://www.drtonks.com/u0t4/?ipNhfX=yeZb8GK9kb308m6tqpQSWKVePpKokD/DhHuephdMkCBCe/gXfDvon4YRbmogRZs51d24yXmjv9s2GuQK2J30uG9jNiVx5pUDTA==&DDMD=2V_pWNT8ifT	Avira URL Cloud: Label: phishing
Source: http://www.owcojyyde.best/u0t4/?ipNhfX=T+ktEIOjX9T5dGcj9rUsXIa48WZT28SiLvO+yVBZwvWEp9g0wSKFlyHjxBvBWF4XQFrqNUOHqhRxKaY3zbxWdu06McXUafUYdA==&DDMD=2V_pWNT8ifT	Avira URL Cloud: Label: malware
Source: https://www.rva.info/u0t4/?ipNhfX=0FEhcIE8iszkrFK7conPxoTSm5tbS5zDq5Q/wzqttSHPlx8Adeeig0MIJDbK	Avira URL Cloud: Label: malware
Source: http://www.rva.info/u0t4/?ipNhfX=0FEhcIE8iszkrFK7conPxoTSm5tbS5zDq5Q/wzqttSHPlx8Adeeig0MIJDbK+dlDXWJ9cmev8ZYmFh9Bk+wzUoT6TgNjxSlOMQ==&DDMD=2V_pWNT8ifT	Avira URL Cloud: Label: malware
Source: http://www.owcojyyde.best/u0t4/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.drtonks.com	Virustotal: Detection: 8%	Perma Link
Source: www.rva.info	Virustotal: Detection: 14%	Perma Link
Source: www.arteunmapa.com	Virustotal: Detection: 5%	Perma Link
Source: www.02omn1.cfd	Virustotal: Detection: 10%	Perma Link
Source: http://www.drtonks.com/	Virustotal: Detection: 8%	Perma Link
Source: http://www.rva.info/u0t4/	Virustotal: Detection: 13%	Perma Link

Machine Learning detection for sample

Source: Qte2311.exe

Joe Sandbox ML: detected

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Qte2311.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Qte2311.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Windows Analysis Report
Qte2311.exe