Loading ...

Play interactive tourEdit tour

Analysis Report vi0EwpbUht

Overview

General Information

Sample Name:vi0EwpbUht (renamed file extension from none to exe)
Analysis ID:432848
MD5:f478c15f5affd8359762b8c6b0e913a4
SHA1:05b36949abd35a132488158f38149c7b582c8d3a
SHA256:e355ac0da4996011e91f28b11e03c44d54606ae4ceb0bc4f6d0a0edc4b3410ed
Tags:exeneshta
Infos:

Most interesting Screenshot:

Detection

FormBook Neshta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Neshta
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files with a suspicious file extension
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample is not signed and drops a device driver
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • vi0EwpbUht.exe (PID: 7096 cmdline: 'C:\Users\user\Desktop\vi0EwpbUht.exe' MD5: F478C15F5AFFD8359762B8C6B0E913A4)
    • vi0EwpbUht.exe (PID: 6184 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe' MD5: 4A10F66447AAF017229FF618AAB923E3)
      • vi0EwpbUht.exe (PID: 6372 cmdline: 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe' MD5: 4A10F66447AAF017229FF618AAB923E3)
        • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • svchost.com (PID: 3728 cmdline: 'C:\Windows\svchost.com' 'C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe' MD5: 713C9023AF9454658983BDEEC3B3F4D4)
            • elxhan.exe (PID: 1144 cmdline: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe MD5: 4A10F66447AAF017229FF618AAB923E3)
              • elxhan.exe (PID: 5572 cmdline: C:\Users\user\AppData\Roaming\hbqilrp\elxhan.exe MD5: 4A10F66447AAF017229FF618AAB923E3)
          • NETSTAT.EXE (PID: 5948 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
            • cmd.exe (PID: 4140 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\3582-490\vi0EwpbUht.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • help.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.personalizedyardsigns.com/xkcp/"], "decoy": ["plcnotary.com", "pennywisebusiness.net", "negatzone.com", "hangclinic.com", "choice-home-warranty-review.com", "oslojistas.com", "keguanchina.com", "amazoncarbonhub.com", "myworkaccident.com", "shipu299.com", "henselectrlc.com", "store55588.com", "11ncbee.net", "reissantorini.com", "karta.gold", "goldenstatesurplus.net", "soslifefood.com", "bis-adapter.net", "harrywalia.com", "myboutiqueflowers.com", "rareearthmetalrefining.com", "triathletestrength.com", "jumtix.xyz", "shropshirepaddleboarding.com", "promocaomercadolivre.com", "tetratechinstruction.com", "emergingleadership.coach", "aresponsibleperson.net", "gethesspp.com", "zicanotes.com", "lance2375problems.com", "sxkeyuanda.com", "hotradio1.com", "dcsingersforhire.com", "shophigh5.com", "heaustralia.site", "bandlaser.com", "pucksbar.net", "financialdy.com", "digech.com", "livablelandbuyer.com", "bccluster.com", "xn--o39ay81ahtag62aba.com", "petalumaroofing.com", "handmadebyclydelle.com", "thecanineharness.com", "83twistleton.com", "shardulwakade.net", "shopcovetandcrave.com", "babateeconsult.com", "plancougar.com", "buyketoeasy.com", "dccustomcreation.com", "nutellajam.com", "kaiocarvalho.com", "treschicbeautyloft.com", "gofornye.com", "agileintelligence.coach", "poetryartists.com", "teailn.com", "letsreflectonline.net", "uggoutletosterreich.com", "metododgl.com", "centurygreatpath.info"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
vi0EwpbUht.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Microsoft Office\Office16\CNFNOT32.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\Program Files (x86)\Microsoft Office\Office16\MSOUC.EXEMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
C:\Program Files (x86)\Microsoft Office\Office16\lync99.exeMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0xa0e7:$x1: the best. Fuck off all the rest.
  • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
  • 0xa108:$s1: Neshta
  • 0xa113:$s2: Made in Belarus.
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
Click to see the 107 entries

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.460372240.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.556558857.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 38 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.elxhan.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.elxhan.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.elxhan.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.vi0EwpbUht.exe.400000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
        • 0xa0e7:$x1: the best. Fuck off all the rest.
        • 0xa1a8:$x2: ! Best regards 2 Tommy Salo. [Nov-2005] yours [Dziadulja Apanas]
        • 0xa108:$s1: Neshta
        • 0xa113:$s2: Made in Belarus.
        • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
        • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
        • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
        1.2.vi0EwpbUht.exe.400000.0.unpackJoeSecurity_NeshtaYara detected NeshtaJoe Security