Loading ...

Play interactive tourEdit tour

Analysis Report KYC DEBIT 11202020.exe

Overview

General Information

Sample Name:KYC DEBIT 11202020.exe
Analysis ID:321019
MD5:1a507889b51bb4c630efdab875fe492d
SHA1:18213e51363e486cff2e3707db5f3b85dc9c7d6f
SHA256:dc124de38bc46065f427928b5b1c0dae742f8dbbca236e611735f24ae70e6cb5
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Machine Learning detection for sample
Detected potential crypto function
Enables debug privileges
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Yara signature match

Classification

Startup

  • System is w10x64
  • KYC DEBIT 11202020.exe (PID: 4168 cmdline: 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe' MD5: 1A507889B51BB4C630EFDAB875FE492D)
    • WerFault.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xb050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xb3da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16ced:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x167d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16def:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16f67:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbde2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x15a54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xcb5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ce42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18cf1:$sqlite3step: 68 34 1C 7B E1
    • 0x18e04:$sqlite3step: 68 34 1C 7B E1
    • 0x18d20:$sqlite3text: 68 38 2A 90 C5
    • 0x18e45:$sqlite3text: 68 38 2A 90 C5
    • 0x18d33:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18e5b:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xb050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xb3da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16ced:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x167d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16def:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x16f67:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xbde2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x15a54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xcb5a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1bdcf:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ce42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 7 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for sampleShow sources
      Source: KYC DEBIT 11202020.exeJoe Sandbox ML: detected

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeCode function: 0_2_00BCDB21
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Source: KYC DEBIT 11202020.exe, 00000000.00000002.300296289.0000000005740000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameJnMryRIPGtnuqyyG.bounce.exe4 vs KYC DEBIT 11202020.exe
      Source: KYC DEBIT 11202020.exe, 00000000.00000002.300792152.00000000060B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs KYC DEBIT 11202020.exe
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: KYC DEBIT 11202020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal60.troj.winEXE@33502/4@0/1
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4168
      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp
      Source: KYC DEBIT 11202020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: unknownProcess created: C:\Users\user\Desktop\KYC DEBIT 11202020.exe 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: KYC DEBIT 11202020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: KYC DEBIT 11202020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: mscorlib.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.Drawing.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: mscorlib.ni.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.ni.pdb source: WERE917.tmp.dmp.3.dr
      Source: Binary string: System.pdb source: WERE917.tmp.dmp.3.dr
      Source: initial sampleStatic PE information: section name: .text entropy: 7.86097375794
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeQueries volume information: C:\Users\user\Desktop\KYC DEBIT 11202020.exe VolumeInformation
      Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Information Discovery21Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      KYC DEBIT 11202020.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:321019
      Start date:20.11.2020
      Start time:09:16:58
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 6m 43s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:KYC DEBIT 11202020.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal60.troj.winEXE@33502/4@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 19.6% (good quality ratio 12.5%)
      • Quality average: 48.2%
      • Quality standard deviation: 36.6%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Excluded IPs from analysis (whitelisted): 52.147.198.201, 92.122.144.200
      • Excluded domains from analysis (whitelisted): skypedataprdcoleus16.cloudapp.net, umwatsonrouting.trafficmanager.net, fs.microsoft.com, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtSetInformationFile calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      09:18:30API Interceptor1x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_KYC DEBIT 112020_61257d391877fef8e1fad562b49b966fbe1f87_3e8fb774_14bb27d6\Report.wer
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
      Category:dropped
      Size (bytes):12958
      Entropy (8bit):3.7775445336367377
      Encrypted:false
      SSDEEP:192:OWVd/WkRgHBUZMXiaKoKVgz/u7s1S274It1ao:hV1WkOBUZMXiaJz/u7s1X4It1ao
      MD5:CA4AB08F78D4FEDF6DB26B8503A0F04C
      SHA1:47C3E1793AA727CB1D4C2FEC231ECD2F825E9DB8
      SHA-256:2DB307ED9F68E24ABC714725F0FF213F5B2652D494CADDDDE180035ECD57D2A2
      SHA-512:EE13B730F5E11D1D5379F9A57102E321CEE57E1E98A278BA42A124674DECA159B4E8D46B97ACA09A7DCA5CAA1C301A83E3144B05584675854E02CC546CA7EFFC
      Malicious:false
      Reputation:low
      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.6.6.2.9.3.9.6.3.6.1.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.6.6.2.9.5.5.2.6.1.0.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.d.4.e.2.2.a.-.8.4.3.4.-.4.a.9.b.-.9.3.9.d.-.e.0.6.b.3.f.f.b.a.8.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.f.2.1.1.4.7.1.-.8.4.1.c.-.4.6.1.0.-.a.f.7.f.-.4.b.9.3.9.5.0.8.9.6.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.K.Y.C. .D.E.B.I.T. .1.1.2.0.2.0.2.0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.4.8.-.0.0.0.1.-.0.0.1.7.-.0.f.a.6.-.6.9.1.4.6.1.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.4.c.c.6.e.c.6.2.d.d.6.9.b.e.a.5.e.a.b.0.b.7.7.f.3.d.0.4.3.8.3.0.0.0.0.f.f.f.f.!.0.0.0.0.1.8.2.1.3.e.5.1.3.6.3.e.4.8.6.c.f.f.2.e.3.7.0.7.d.b.5.f.3.b.8.5.d.c.9.c.7.d.6.f.!.K.Y.C. .D.E.B.I.T. .1.1.2.0.2.
      C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp.dmp
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Fri Nov 20 17:18:14 2020, 0x1205a4 type
      Category:dropped
      Size (bytes):292042
      Entropy (8bit):3.666978083515441
      Encrypted:false
      SSDEEP:3072:gUCgUob4KBa5LXjd+pNVCigP9gIOgF5M0MVIDxAE:gTjU4eWAp7I9RpDMDy5
      MD5:786BB5B457E4AF51EB0F2768A2AE57CF
      SHA1:97CB2A16972A16197E03F23A2FAD2BB34603BB86
      SHA-256:FD5BD1A73277D8D77B3655F6B7DB3E27268CE384C509CB46255238F1A6C91CF9
      SHA-512:032DEB2695B2320A0150196A5CDDBD9A89ACD06BBB2A8854A30B6B74D9EB8A02E22F23CE1FD13D0EA46EC2B919DAE0A27E71C25CAFF56BF74119AE9E6624B1B5
      Malicious:false
      Reputation:low
      Preview: MDMP....... .......V.._...................U...........B......T.......GenuineIntelW...........T.......H...@.._.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
      C:\ProgramData\Microsoft\Windows\WER\Temp\WERED9D.tmp.WERInternalMetadata.xml
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
      Category:dropped
      Size (bytes):8442
      Entropy (8bit):3.7013057923344577
      Encrypted:false
      SSDEEP:192:Rrl7r3GLNiPH6+6YS/SUWA/gmfZ0SQCprQ89b7asf5pm:RrlsNiv6+6YKSUWA/gmfGSl75f2
      MD5:D905D1637164D1119FAFBE81C8DF667E
      SHA1:A5EAFF9038D530315C21B95D4DC203F4F2492C78
      SHA-256:06CD23812326C76057BDCE1256C9506E1EF86BBD3985CA7D178333CAB9B869F3
      SHA-512:9994739259F5122C20793E810620F3AE4C20CB6F040C66FA4A55249374A40C1B13EF46BD84132AA7EAB4DC98AD16CB3FCC9A12FA90C392CA7A101B38C286729B
      Malicious:false
      Reputation:low
      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.6.8.<./.P.i.d.>.......
      C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE98.tmp.xml
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4723
      Entropy (8bit):4.501096848790684
      Encrypted:false
      SSDEEP:48:cvIwSD8zsRJgtWI9Xi8WSC8BI8fm8M4JZyokFom+q8vAyo1wzXvxXJd:uITfj8i1SN7JeKywzXvxXJd
      MD5:593199A442B0E6FEB4E20A5F3BA57EFB
      SHA1:40DCF5AF35370467C6F1DDB3FC64A6DC31EAEB49
      SHA-256:D0C0277E6953D6B9C1A94BEC872869343B6B16E2414F848D6FCEB508EF38C0C2
      SHA-512:401AEE82E141D91D5D9D69AEE5781102804AAB440737026BE7A5EB593AE2606F126FB80C8FBDF8DFAFA506BFD46F6211DBC33C02BEF19DD7E98005B7DEDAA294
      Malicious:false
      Reputation:low
      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="737428" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.8547656632266065
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      • Win32 Executable (generic) a (10002005/4) 49.78%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Generic Win/DOS Executable (2004/3) 0.01%
      • DOS Executable Generic (2002/1) 0.01%
      File name:KYC DEBIT 11202020.exe
      File size:546816
      MD5:1a507889b51bb4c630efdab875fe492d
      SHA1:18213e51363e486cff2e3707db5f3b85dc9c7d6f
      SHA256:dc124de38bc46065f427928b5b1c0dae742f8dbbca236e611735f24ae70e6cb5
      SHA512:65ebfd138e7cce5114470b6ce59186007add72367bc604cbaaefca5673193bbd06e1293cb9f78d1e981cdcc797c08207c5c4bdddea427725e5390c9a255e3be0
      SSDEEP:12288:BiHYRuVLX/Jp+zlQiMAi513nW3HDUnIIb1duIXOX:8Y4V9p6lx4/nsHDUnBbOIXO
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F6._.................P...........n... ........@.. ....................................@................................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x486eee
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5FB73646 [Fri Nov 20 03:21:42 2020 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v4.0.30319
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x86ea00x4b.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x242.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x84ef40x85000False0.898793614897data7.86097375794IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x880000x2420x400False0.30859375data3.56683492949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_MANIFEST0x880580x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Network Behavior

      Network Port Distribution

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Nov 20, 2020 09:17:53.056655884 CET5696153192.168.2.38.8.8.8
      Nov 20, 2020 09:17:53.092269897 CET53569618.8.8.8192.168.2.3
      Nov 20, 2020 09:17:53.986880064 CET5935353192.168.2.38.8.8.8
      Nov 20, 2020 09:17:54.014408112 CET53593538.8.8.8192.168.2.3
      Nov 20, 2020 09:17:55.380896091 CET5223853192.168.2.38.8.8.8
      Nov 20, 2020 09:17:55.408087015 CET53522388.8.8.8192.168.2.3
      Nov 20, 2020 09:17:56.147533894 CET4987353192.168.2.38.8.8.8
      Nov 20, 2020 09:17:56.174639940 CET53498738.8.8.8192.168.2.3
      Nov 20, 2020 09:17:56.970762014 CET5319653192.168.2.38.8.8.8
      Nov 20, 2020 09:17:56.997936010 CET53531968.8.8.8192.168.2.3
      Nov 20, 2020 09:17:58.139626980 CET5677753192.168.2.38.8.8.8
      Nov 20, 2020 09:17:58.166762114 CET53567778.8.8.8192.168.2.3
      Nov 20, 2020 09:17:59.163197994 CET5864353192.168.2.38.8.8.8
      Nov 20, 2020 09:17:59.190366983 CET53586438.8.8.8192.168.2.3
      Nov 20, 2020 09:17:59.975115061 CET6098553192.168.2.38.8.8.8
      Nov 20, 2020 09:18:00.002249002 CET53609858.8.8.8192.168.2.3
      Nov 20, 2020 09:18:00.851927996 CET5020053192.168.2.38.8.8.8
      Nov 20, 2020 09:18:00.879008055 CET53502008.8.8.8192.168.2.3
      Nov 20, 2020 09:18:01.601603985 CET5128153192.168.2.38.8.8.8
      Nov 20, 2020 09:18:01.628655910 CET53512818.8.8.8192.168.2.3
      Nov 20, 2020 09:18:03.030726910 CET4919953192.168.2.38.8.8.8
      Nov 20, 2020 09:18:03.057806015 CET53491998.8.8.8192.168.2.3
      Nov 20, 2020 09:18:04.010086060 CET5062053192.168.2.38.8.8.8
      Nov 20, 2020 09:18:04.037270069 CET53506208.8.8.8192.168.2.3
      Nov 20, 2020 09:18:04.970616102 CET6493853192.168.2.38.8.8.8
      Nov 20, 2020 09:18:04.997704983 CET53649388.8.8.8192.168.2.3
      Nov 20, 2020 09:18:06.442523956 CET6015253192.168.2.38.8.8.8
      Nov 20, 2020 09:18:06.469597101 CET53601528.8.8.8192.168.2.3
      Nov 20, 2020 09:18:11.887151003 CET5754453192.168.2.38.8.8.8
      Nov 20, 2020 09:18:11.922557116 CET53575448.8.8.8192.168.2.3
      Nov 20, 2020 09:18:12.858613968 CET5598453192.168.2.38.8.8.8
      Nov 20, 2020 09:18:12.885711908 CET53559848.8.8.8192.168.2.3
      Nov 20, 2020 09:18:13.717292070 CET6418553192.168.2.38.8.8.8
      Nov 20, 2020 09:18:13.744362116 CET53641858.8.8.8192.168.2.3
      Nov 20, 2020 09:18:15.364953995 CET6511053192.168.2.38.8.8.8
      Nov 20, 2020 09:18:15.402148008 CET53651108.8.8.8192.168.2.3
      Nov 20, 2020 09:18:15.505676985 CET5836153192.168.2.38.8.8.8
      Nov 20, 2020 09:18:15.532661915 CET53583618.8.8.8192.168.2.3

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:09:17:53
      Start date:20/11/2020
      Path:C:\Users\user\Desktop\KYC DEBIT 11202020.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\KYC DEBIT 11202020.exe'
      Imagebase:0xb50000
      File size:546816 bytes
      MD5 hash:1A507889B51BB4C630EFDAB875FE492D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
      Reputation:low

      General

      Start time:09:18:13
      Start date:20/11/2020
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788
      Imagebase:0xee0000
      File size:434592 bytes
      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:high

      Disassembly

      Code Analysis

      Reset < >