Analysis Report KYC DEBIT 11202020.exe

ID:	321019
Product:	CloudBasic
Start time:	09:16:58
Start date:	20.11.2020
Sample:	KYC DEBIT 11202020.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1a507889b51bb4c630efdab875fe492d
SHA1:	18213e51363e486cff2e3707db5f3b85dc9c7d6f
SHA256:	dc124de38bc46065f427928b5b1c0dae742f8dbbca236e611735f24ae70e6cb5
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_KYC DEBIT 112020_61257d391877fef8e1fad562b49b966fbe1f87_3e8fb774_14bb27d6\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	CA4AB08F78D4FEDF6DB26B8503A0F04C	47C3E1793AA727CB1D4C2FEC231ECD2F825E9DB8	2DB307ED9F68E24ABC714725F0FF213F5B2652D494CADDDDE180035ECD57D2A2
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Nov 20 17:18:14 2020, 0x1205a4 type	786BB5B457E4AF51EB0F2768A2AE57CF	97CB2A16972A16197E03F23A2FAD2BB34603BB86	FD5BD1A73277D8D77B3655F6B7DB3E27268CE384C509CB46255238F1A6C91CF9
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED9D.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	D905D1637164D1119FAFBE81C8DF667E	A5EAFF9038D530315C21B95D4DC203F4F2492C78	06CD23812326C76057BDCE1256C9506E1EF86BBD3985CA7D178333CAB9B869F3
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE98.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	593199A442B0E6FEB4E20A5F3BA57EFB	40DCF5AF35370467C6F1DDB3FC64A6DC31EAEB49	D0C0277E6953D6B9C1A94BEC872869343B6B16E2414F848D6FCEB508EF38C0C2

AV Detection:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Source: KYC DEBIT 11202020.exe

Joe Sandbox ML: detected

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Detected potential crypto function

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe

Code function: 0_2_00BCDB21

0_2_00BCDB21

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788

Sample file is different than original file name gathered from version info

Source: KYC DEBIT 11202020.exe, 00000000.00000002.300296289.0000000005740000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameJnMryRIPGtnuqyyG.bounce.exe4 vs KYC DEBIT 11202020.exe
Source: KYC DEBIT 11202020.exe, 00000000.00000002.300792152.00000000060B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs KYC DEBIT 11202020.exe

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll

Yara signature match

Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: KYC DEBIT 11202020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal60.troj.winEXE@33502/4@0/1

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4168

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp

PE file has an executable .text section and no other executable section

Source: KYC DEBIT 11202020.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Reads software policies

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\KYC DEBIT 11202020.exe 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: KYC DEBIT 11202020.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: KYC DEBIT 11202020.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: mscorlib.pdb source: WERE917.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
Source:	Binary string: System.Drawing.pdb source: WERE917.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdb source: WERE917.tmp.dmp.3.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
Source:	Binary string: System.ni.pdb source: WERE917.tmp.dmp.3.dr
Source:	Binary string: System.pdb source: WERE917.tmp.dmp.3.dr

Data Obfuscation:

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.86097375794

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\SysWOW64\WerFault.exe

File opened: PhysicalDrive0

Queries a list of all running processes

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe

Memory allocated: page read and write | page guard

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Queries volume information: C:\Users\user\Desktop\KYC DEBIT 11202020.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY