Loading ...

Play interactive tourEdit tour

Analysis Report po.no.4414463099.exe

Overview

General Information

Sample Name:po.no.4414463099.exe
Analysis ID:299466
MD5:628b560274bb0807824cb9b06a8d669a
SHA1:887600f411d15a4e53b69b0c857057cb918ab284
SHA256:201e2fd48dfdd75ee8abf1ad910deb3ffa1784ae0229fe7588b2b54119409aee
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Yara detected FormBook
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • po.no.4414463099.exe (PID: 5548 cmdline: 'C:\Users\user\Desktop\po.no.4414463099.exe' MD5: 628B560274BB0807824CB9B06A8D669A)
    • po.no.4414463099.exe (PID: 6100 cmdline: C:\Users\user\Desktop\po.no.4414463099.exe MD5: 628B560274BB0807824CB9B06A8D669A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x67650:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x678ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x733ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x72ed9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x734ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x73667:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x682e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x72154:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x68fdb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x7925f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x7a262:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x76181:$sqlite3step: 68 34 1C 7B E1
    • 0x76294:$sqlite3step: 68 34 1C 7B E1
    • 0x761b0:$sqlite3text: 68 38 2A 90 C5
    • 0x762d5:$sqlite3text: 68 38 2A 90 C5
    • 0x761c3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x762eb:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: po.no.4414463099.exe PID: 5548JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: po.no.4414463099.exeVirustotal: Detection: 28%Perma Link
        Source: po.no.4414463099.exeReversingLabs: Detection: 18%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORY
        Machine Learning detection for sampleShow sources
        Source: po.no.4414463099.exeJoe Sandbox ML: detected
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_00BF9DA80_2_00BF9DA8
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_00BFCB500_2_00BFCB50
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_00BF99840_2_00BF9984
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_027EB1F80_2_027EB1F8
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_027E84480_2_027E8448
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_027EE5600_2_027EE560
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_027EAA900_2_027EAA90
        Source: po.no.4414463099.exe, 00000000.00000000.223821963.000000000038E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeLF.exe6 vs po.no.4414463099.exe
        Source: po.no.4414463099.exe, 00000000.00000002.496943516.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs po.no.4414463099.exe
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs po.no.4414463099.exe
        Source: po.no.4414463099.exe, 00000001.00000000.230176994.000000000071E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKeLF.exe6 vs po.no.4414463099.exe
        Source: po.no.4414463099.exeBinary or memory string: OriginalFilenameKeLF.exe6 vs po.no.4414463099.exe
        Source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: po.no.4414463099.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal80.troj.evad.winEXE@3/0@0/0
        Source: po.no.4414463099.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\po.no.4414463099.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: po.no.4414463099.exeVirustotal: Detection: 28%
        Source: po.no.4414463099.exeReversingLabs: Detection: 18%
        Source: unknownProcess created: C:\Users\user\Desktop\po.no.4414463099.exe 'C:\Users\user\Desktop\po.no.4414463099.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\po.no.4414463099.exe C:\Users\user\Desktop\po.no.4414463099.exe
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess created: C:\Users\user\Desktop\po.no.4414463099.exe C:\Users\user\Desktop\po.no.4414463099.exeJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: po.no.4414463099.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: po.no.4414463099.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\po.no.4414463099.exeCode function: 0_2_00BF665A push ds; ret 0_2_00BF665F
        Source: initial sampleStatic PE information: section name: .text entropy: 7.59604779809
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: po.no.4414463099.exe PID: 5548, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\po.no.4414463099.exe TID: 6116Thread sleep time: -52488s >= -30000sJump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
        Source: po.no.4414463099.exe, 00000000.00000002.492705357.0000000002811000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\po.no.4414463099.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeProcess created: C:\Users\user\Desktop\po.no.4414463099.exe C:\Users\user\Desktop\po.no.4414463099.exeJump to behavior
        Source: po.no.4414463099.exe, 00000000.00000002.492343417.0000000001270000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: po.no.4414463099.exe, 00000000.00000002.492343417.0000000001270000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: po.no.4414463099.exe, 00000000.00000002.492343417.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: po.no.4414463099.exe, 00000000.00000002.492343417.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\po.no.4414463099.exeQueries volume information: C:\Users\user\Desktop\po.no.4414463099.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\po.no.4414463099.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.493750211.0000000003819000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.