Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
r14836901-5B4A-.exe

Overview

General Information

Sample name:r14836901-5B4A-.exe
Analysis ID:1455408
MD5:d5867544e7fb701fb71e72cf8caf8df8
SHA1:4d4d42bb8a49013f6804e5c21d35fd8da6d141b2
SHA256:d8d23e874918f7f77e8ac832e69adef1bda5244e403364a6ad5cb18e8ecbcb5e
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
Yara detected GuLoader
Submitted sample is a known malware sample
Maps a DLL or memory area into another process
Mass process execution to delay analysis
Obfuscated command line found
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification