Analysis Report SlaZL2LqI2.exe

Overview

General Information

Sample Name: SlaZL2LqI2.exe
Analysis ID: 344543
MD5: 9e3469f024cd186e3685505b7d2e4412
SHA1: 2e3b115a155e10fc2dfe822ed6a7d6c03d1702fd
SHA256: 14d9c9f0dbe84637aad5dca71f874b7fd2c11e7b476c4da126090c23b8e95536
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.AddInProcess32.exe.760000.1.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d720", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1d823", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1c363", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa9c3744d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01549", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
Multi AV Scanner detection for submitted file
Source: SlaZL2LqI2.exe Virustotal: Detection: 31% Perma Link
Source: SlaZL2LqI2.exe ReversingLabs: Detection: 30%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: SlaZL2LqI2.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.AddInProcess32.exe.760000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: SlaZL2LqI2.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SlaZL2LqI2.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: AddInProcess32.pdb source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.259208534.0000000002E0A000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.259374983.0000000002DF6000.00000004.00000001.sdmp
Source: Binary string: AddInProcess32.pdbpw source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, 00000002.00000002.351711193.0000000000392000.00000002.00020000.sdmp, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000005.00000003.261041308.0000000005011000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_077266A4
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_07727128
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07727128
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov esp, ebp 0_2_0772DF78
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then jmp 077226EEh 0_2_07721F18
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_07726E08
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07726E08
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_07727898
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_0772711C
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_0772711C
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then xor edx, edx 0_2_07727060
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then xor edx, edx 0_2_07727054
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_07726DFC
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_07726DFC
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_07726924
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_077289B8
Source: SlaZL2LqI2.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SlaZL2LqI2.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SlaZL2LqI2.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SlaZL2LqI2.exe, 00000000.00000002.253723358.0000000001590000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: SlaZL2LqI2.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SlaZL2LqI2.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SlaZL2LqI2.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SlaZL2LqI2.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SlaZL2LqI2.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SlaZL2LqI2.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1?E
Source: SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g?E
Source: SlaZL2LqI2.exe, 00000000.00000003.252985149.0000000009130000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: SlaZL2LqI2.exe, 00000000.00000003.238391843.0000000009121000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj?E
Source: SlaZL2LqI2.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: SlaZL2LqI2.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SlaZL2LqI2.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: SlaZL2LqI2.exe, 00000000.00000002.254245585.00000000032BF000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SlaZL2LqI2.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: SlaZL2LqI2.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: SlaZL2LqI2.exe, 00000000.00000002.254190408.0000000003291000.00000004.00000001.sdmp String found in binary or memory: https://www.google.comT

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06856EE8 CreateProcessAsUserW, 0_2_06856EE8
Detected potential crypto function
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0185C961 0_2_0185C961
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_01852809 0_2_01852809
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0185306B 0_2_0185306B
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0185EB8B 0_2_0185EB8B
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0185B5D0 0_2_0185B5D0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_01856D78 0_2_01856D78
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0185D458 0_2_0185D458
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_01856743 0_2_01856743
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_01859E80 0_2_01859E80
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0185C318 0_2_0185C318
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06850A28 0_2_06850A28
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06858648 0_2_06858648
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06853F40 0_2_06853F40
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06853810 0_2_06853810
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06850040 0_2_06850040
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06851D50 0_2_06851D50
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06855D58 0_2_06855D58
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06850A18 0_2_06850A18
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06858638 0_2_06858638
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06859268 0_2_06859268
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_068567F8 0_2_068567F8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06853F30 0_2_06853F30
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06855099 0_2_06855099
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_068550A8 0_2_068550A8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_068574F0 0_2_068574F0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06850007 0_2_06850007
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06853801 0_2_06853801
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06855510 0_2_06855510
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06855520 0_2_06855520
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06851D42 0_2_06851D42
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_06855D48 0_2_06855D48
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_07722718 0_2_07722718
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_077206E0 0_2_077206E0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_07728280 0_2_07728280
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_07721F18 0_2_07721F18
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0772CED8 0_2_0772CED8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_07722708 0_2_07722708
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_077206D1 0_2_077206D1
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0772CEC8 0_2_0772CEC8
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_07727CE0 0_2_07727CE0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_07727CD1 0_2_07727CD1
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_0772D9E8 0_2_0772D9E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 2_2_00392050 2_2_00392050
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172
PE / OLE file has an invalid certificate
Source: SlaZL2LqI2.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SlaZL2LqI2.exe Binary or memory string: OriginalFilename vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAddInProcess32.exeT vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.260741498.0000000006440000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe, 00000000.00000002.254118568.0000000003240000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs SlaZL2LqI2.exe
Source: SlaZL2LqI2.exe Binary or memory string: OriginalFilenameIMG_80136.exeL vs SlaZL2LqI2.exe
Uses 32bit PE files
Source: SlaZL2LqI2.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal92.troj.evad.winEXE@4/6@0/0
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SlaZL2LqI2.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3560
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: SlaZL2LqI2.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SlaZL2LqI2.exe Virustotal: Detection: 31%
Source: SlaZL2LqI2.exe ReversingLabs: Detection: 30%
Source: unknown Process created: C:\Users\user\Desktop\SlaZL2LqI2.exe 'C:\Users\user\Desktop\SlaZL2LqI2.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 172
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SlaZL2LqI2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SlaZL2LqI2.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: AddInProcess32.pdb source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.259208534.0000000002E0A000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.259383971.0000000002DFC000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.259374983.0000000002DF6000.00000004.00000001.sdmp
Source: Binary string: AddInProcess32.pdbpw source: SlaZL2LqI2.exe, 00000000.00000002.261425891.0000000008ECD000.00000004.00000001.sdmp, AddInProcess32.exe, 00000002.00000002.351711193.0000000000392000.00000002.00020000.sdmp, WerFault.exe, 00000005.00000002.346577564.0000000003110000.00000002.00000001.sdmp, AddInProcess32.exe.0.dr
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000005.00000003.261041308.0000000005011000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.259258652.0000000002DF0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_00F27632 push es; retf 0_2_00F27634
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_00F27627 push es; retf 0_2_00F27628
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_00F2762C push es; retf 0_2_00F2762E
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_00F27600 push es; retf 0_2_00F27622
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_068585F8 pushad ; retf 0_2_068585F9
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Code function: 0_2_068585FA push eax; retf 0_2_06858601

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe File opened: C:\Users\user\Desktop\SlaZL2LqI2.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 2900 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 4632 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 4632 Thread sleep count: 129 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 496 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe TID: 4576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: VMware
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: WerFault.exe, 00000005.00000003.344516445.0000000002E10000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: SlaZL2LqI2.exe, 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: SlaZL2LqI2.exe, 00000000.00000002.253698687.0000000001567000.00000004.00000020.sdmp, WerFault.exe, 00000005.00000003.275279827.0000000002E10000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SlaZL2LqI2.exe, 00000000.00000002.260395887.0000000005990000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.347928835.0000000004D80000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 760000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 760000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 760000 Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 761000 Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 564008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Queries volume information: C:\Users\user\Desktop\SlaZL2LqI2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SlaZL2LqI2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.259116287.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.351774917.0000000000761000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.259383306.00000000043D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.AddInProcess32.exe.760000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344543 Sample: SlaZL2LqI2.exe Startdate: 26/01/2021 Architecture: WINDOWS Score: 92 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 2 other signatures 2->25 7 SlaZL2LqI2.exe 15 4 2->7         started        process3 file4 15 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->15 dropped 17 C:\Users\user\AppData\...\SlaZL2LqI2.exe.log, ASCII 7->17 dropped 27 Writes to foreign memory regions 7->27 29 Allocates memory in foreign processes 7->29 31 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->31 33 Injects a PE file into a foreign processes 7->33 11 AddInProcess32.exe 7->11         started        signatures5 process6 process7 13 WerFault.exe 23 9 11->13         started       
No contacted IP infos