Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report


General Information

Sample name:r14836901-5B4A-.exe
Analysis ID:1455408


FormBook, GuLoader
Range:0 - 100


Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
Yara detected GuLoader
Submitted sample is a known malware sample
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Obfuscated command line found
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match