Loading ...

Play interactive tourEdit tour

Analysis Report Confirm_Proforma_Invoice.exe

Overview

General Information

Sample Name:Confirm_Proforma_Invoice.exe
Analysis ID:285107
MD5:83a87d028c65802af2573c9f30a16510
SHA1:02d2fd4a5d94583490e24565235830e584f00e54
SHA256:b9225c079305112fcd1d5be698796eb426a668779daff06b99986266c161ab52

Most interesting Screenshot:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected FormBook
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Confirm_Proforma_Invoice.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\Confirm_Proforma_Invoice.exe' MD5: 83A87D028C65802AF2573C9F30A16510)
    • vbc.exe (PID: 6148 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 1736 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 6160 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 868 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 6212 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x2f69a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x2f6c12:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x302745:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x302231:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x302847:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x3029bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x2f762a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x3014ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x2f8323:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x308337:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x30933a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x305419:$sqlite3step: 68 34 1C 7B E1
      • 0x30552c:$sqlite3step: 68 34 1C 7B E1
      • 0x305448:$sqlite3text: 68 38 2A 90 C5
      • 0x30556d:$sqlite3text: 68 38 2A 90 C5
      • 0x30545b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x305583:$sqlite3blob: 68 53 D8 7F 8C
      Process Memory Space: Confirm_Proforma_Invoice.exe PID: 7136JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Confirm_Proforma_Invoice.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: Confirm_Proforma_Invoice.exeVirustotal: Detection: 35%Perma Link
        Source: Confirm_Proforma_Invoice.exeReversingLabs: Detection: 47%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORY
        Machine Learning detection for sampleShow sources
        Source: Confirm_Proforma_Invoice.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 4x nop then jmp 059C9823h0_2_059C97E5
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 4x nop then jmp 059C9823h0_2_059C8AD0
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 4x nop then jmp 059C9823h0_2_059C975B
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_059CAE3A
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_059CAE40
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Confirm_Proforma_Invoice.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Confirm_Proforma_Invoice.exe
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_04B6A7580_2_04B6A758
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_04B6C1480_2_04B6C148
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C60800_2_059C6080
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059CB4A50_2_059CB4A5
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C56B80_2_059C56B8
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C56C80_2_059C56C8
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C00060_2_059C0006
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C00400_2_059C0040
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C60700_2_059C6070
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_059C0B050_2_059C0B05
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs Confirm_Proforma_Invoice.exe
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388445700.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXiu2.exe: vs Confirm_Proforma_Invoice.exe
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.392535195.00000000058E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs Confirm_Proforma_Invoice.exe
        Source: Confirm_Proforma_Invoice.exeBinary or memory string: OriginalFilenameXiu2.exe: vs Confirm_Proforma_Invoice.exe
        Source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: Confirm_Proforma_Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: Confirm_Proforma_Invoice.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.Confirm_Proforma_Invoice.exe.370000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.Confirm_Proforma_Invoice.exe.370000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal96.troj.evad.winEXE@11/1@0/0
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirm_Proforma_Invoice.exe.logJump to behavior
        Source: Confirm_Proforma_Invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Confirm_Proforma_Invoice.exeVirustotal: Detection: 35%
        Source: Confirm_Proforma_Invoice.exeReversingLabs: Detection: 47%
        Source: unknownProcess created: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exe 'C:\Users\user\Desktop\Confirm_Proforma_Invoice.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Confirm_Proforma_Invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Confirm_Proforma_Invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_003780A3 push es; iretd 0_2_003780FA
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeCode function: 0_2_00377F8D push es; iretd 0_2_003780FA
        Source: initial sampleStatic PE information: section name: .text entropy: 7.91712933557
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Confirm_Proforma_Invoice.exe PID: 7136, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exe TID: 7140Thread sleep time: -53530s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: Confirm_Proforma_Invoice.exe, 00000000.00000002.388955772.0000000002641000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeQueries volume information: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\Confirm_Proforma_Invoice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.389276966.0000000003649000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 285107 Sample: Confirm_Proforma_Invoice.exe Startdate: 14/09/2020 Architecture: WINDOWS Score: 96 19 Malicious sample detected (through community Yara rule) 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 6 other signatures 2->25 6 Confirm_Proforma_Invoice.exe 3 2->6         started        process3 file4 17 C:\Users\...\Confirm_Proforma_Invoice.exe.log, ASCII 6->17 dropped 9 vbc.exe 6->9         started        11 vbc.exe 6->11         started        13 vbc.exe 6->13         started        15 2 other processes 6->15 process5

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.