Windows Analysis Report moni $@.exe

Overview

General Information

Sample Name: moni $@.exe
Analysis ID: 458678
MD5: 1e46a61b2d491a15952bd579210ecb8f
SHA1: 5bb236d5c49991298040dd88b4b83c4cb21e148a
SHA256: b07a33b6e6d8007b04f1f4a78cd8be773506bbf6b60ed0227665188d57e82a15
Tags: exenull
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: moni $@.exe Avira: detected
Antivirus detection for URL or domain
Source: www.panyu-qqbaby.com/weni/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}
Multi AV Scanner detection for domain / URL
Source: www.panyu-qqbaby.com/weni/ Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: moni $@.exe Virustotal: Detection: 39% Perma Link
Source: moni $@.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: moni $@.exe Joe Sandbox ML: detected

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\moni $@.exe Unpacked PE file: 0.2.moni $@.exe.ff0000.0.unpack
Uses 32bit PE files
Source: moni $@.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
Source: moni $@.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.panyu-qqbaby.com/weni/
Source: moni $@.exe, 00000000.00000002.247463240.0000000003211000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Detected potential crypto function
Source: C:\Users\user\Desktop\moni $@.exe Code function: 0_2_00007FFF2AF5629E 0_2_00007FFF2AF5629E
Sample file is different than original file name gathered from version info
Source: moni $@.exe, 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.250882555.000000001BD70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.246983941.000000000109A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAppDomainHand.exe6 vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.247121884.00000000014EC000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs moni $@.exe
Source: moni $@.exe, 00000000.00000002.247434414.00000000030F0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs moni $@.exe
Source: moni $@.exe Binary or memory string: OriginalFilenameAppDomainHand.exe6 vs moni $@.exe
Uses 32bit PE files
Source: moni $@.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: moni $@.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/1@0/0
Source: C:\Users\user\Desktop\moni $@.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\moni $@.exe.log Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Mutant created: \Sessions\1\BaseNamedObjects\CmNWJcEtJlScVAi
Source: moni $@.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\moni $@.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: moni $@.exe Virustotal: Detection: 39%
Source: moni $@.exe ReversingLabs: Detection: 34%
Source: unknown Process created: C:\Users\user\Desktop\moni $@.exe 'C:\Users\user\Desktop\moni $@.exe'
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: moni $@.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: moni $@.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\moni $@.exe Unpacked PE file: 0.2.moni $@.exe.ff0000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\moni $@.exe Code function: 0_2_00007FFF2AF57F13 push ebx; ret 0_2_00007FFF2AF57F1A
Source: C:\Users\user\Desktop\moni $@.exe Code function: 0_2_00007FFF2AF5AC5D push edi; ret 0_2_00007FFF2AF5AC66
Source: initial sample Static PE information: section name: .text entropy: 7.91066136918
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: moni $@.exe PID: 3516, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\moni $@.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\moni $@.exe TID: 4852 Thread sleep time: -38692s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe TID: 6136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Thread delayed: delay time: 38692 Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: vmware
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\moni $@.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\moni $@.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\moni $@.exe Queries volume information: C:\Users\user\Desktop\moni $@.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\moni $@.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458678 Sample: moni $@.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 19 Multi AV Scanner detection for domain / URL 2->19 21 Found malware configuration 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 10 other signatures 2->25 6 moni $@.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\moni $@.exe.log, ASCII 6->17 dropped 9 RegSvcs.exe 6->9         started        11 RegSvcs.exe 6->11         started        13 RegSvcs.exe 6->13         started        15 2 other processes 6->15 process5
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.panyu-qqbaby.com/weni/ true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 low