Play interactive tourEdit tour
Analysis Report Signature.xlsx
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AntiVM_3
Yara detected FormBook
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Droppers Exploiting CVE-2017-11882 | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: EQNEDT32.EXE connecting to internet | Show sources |
Source: | Author: Joe Security: |
Sigma detected: File Dropped By EQNEDT32EXE | Show sources |
Source: | Author: Joe Security: |
Sigma detected: Executables Started in Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Execution in Non-Executable Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Suspicious Program Location Process Starts | Show sources |
Source: | Author: Florian Roth: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Yara detected FormBook | Show sources |
Source: | File source: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: | ||
Source: | Joe Sandbox ML: |
Exploits: |
---|
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) | Show sources |
Source: | Process created: | Jump to behavior |
Source: | Process created: |
Compliance: |
---|
Uses new MSVCR Dlls | Show sources |
Source: | File opened: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: |