Windows Analysis Report Shipping Doc.exe

Overview

General Information

Sample Name:	Shipping Doc.exe
Analysis ID:	458885
MD5:	159d560ff64cdb2d130b1635f4123a49
SHA1:	5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:	065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.shopjempress.com/amb6/"], "decoy": ["segurocars.com", "rylautosales.com", "xinglinjiankang.com", "dantil-brand.com", "sofaloffa.club", "coinclub2.com", "ez-pens.com", "gqtlqsw.com", "robotnewswire.com", "ktproductreviews.com", "merchbrander.com", "yesonamendmentb.com", "losgatoslimos.com", "kristincole.art", "metalmaids.online", "leftcoastmodels.com", "athetheist.com", "jblbusrtingsale.com", "chungcugiarehcm.com", "renblockchain.com", "bigdaddy.fish", "comproliverton.pro", "gzmove.com", "honeythymeherbfarm.com", "davinescosmetics.com", "9355693.com", "movinmemphis901.com", "patriotsrs.net", "dagelijkseschoenen.com", "a-want-ad.site", "theodbox.com", "audioky.net", "hopematthewsrealtor.com", "theonlinemoneymachine.com", "misakiti.com", "ad-yalong.com", "mikealazo.com", "marianoterra.com", "shivorja.com", "goodvibrationswindchimes.com", "pecom-deliverry.online", "amlexcel.com", "emeralddrumcompany.com", "dalipaella.com", "shopcamacci.com", "xucaiwujin.com", "bxs5000.com", "2en1institut.com", "zxzm47-wj.com", "builttek.com", "66400yy.com", "beegraze.com", "thedottedcat.com", "komsah.com", "4202nsacramentoav.info", "88q27.com", "toriengenharia.com", "briscoewelding.com", "brookelenzi.com", "tribaltrash.com", "bidtas.com", "shokhorror.com", "bodurm.com", "333.wiki"]}

Multi AV Scanner detection for submitted file

Source: Shipping Doc.exe	Virustotal: Detection: 50%	Perma Link
Source: Shipping Doc.exe	Metadefender: Detection: 31%	Perma Link
Source: Shipping Doc.exe	ReversingLabs: Detection: 26%

Yara detected FormBook

Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Source: Shipping Doc.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.Shipping Doc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Shipping Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: Shipping Doc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cscript.pdbUGP source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe, 0000000F.00000002.480637752.000000000548F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Shipping Doc.exe, 00000004.00000002.320512631.0000000001960000.00000040.00000001.sdmp, cscript.exe
Source:	Binary string: cscript.pdb source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.292742080.000000000EBC0000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4x nop then pop esi	4_2_00417164
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4x nop then pop ebx	4_2_00407AFB
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4x nop then pop edi	4_2_00416C9C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop ebx	15_2_03207AFB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop esi	15_2_03217164
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi	15_2_03216C9C

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.shopjempress.com/amb6/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DREAMHOST-ASUS DREAMHOST-ASUS

Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR HTTP/1.1Host: www.bigdaddy.fishConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR HTTP/1.1Host: www.davinescosmetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.bigdaddy.fish

Source: cscript.exe, 0000000F.00000002.483172630.0000000005E2F000.00000004.00000001.sdmp	String found in binary or memory: http://BigDaddyUnlimited.com/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC
Source: explorer.exe, 00000006.00000000.282041503.00000000089C0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Shipping Doc.exe, 00000002.00000003.218505402.00000000057C6000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Shipping Doc.exe, 00000002.00000003.219138017.00000000057BE000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Shipping Doc.exe, 00000002.00000003.219469628.0000000005799000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comalsdn
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomFU
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comd
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicd
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Shipping Doc.exe, 00000002.00000003.213525769.000000000579B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicV
Source: Shipping Doc.exe, 00000002.00000003.213474844.000000000579B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comny
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: Shipping Doc.exe, 00000002.00000003.216788502.0000000005786000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn4
Source: Shipping Doc.exe, 00000002.00000003.216206775.0000000005787000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn8
Source: Shipping Doc.exe, 00000002.00000003.216929499.0000000005786000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnP
Source: Shipping Doc.exe, 00000002.00000003.215912066.000000000578E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cny
Source: Shipping Doc.exe, 00000002.00000003.215964486.0000000000E0D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnz
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Shipping Doc.exe, 00000002.00000003.222324750.0000000005792000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/8
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/U
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0a
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/argeg
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/d
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/en-ut
Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/fr-f
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/q
Source: Shipping Doc.exe, 00000002.00000003.218167835.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/siv
Source: Shipping Doc.exe, 00000002.00000003.218276730.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vam&
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma7
Source: Shipping Doc.exe, 00000002.00000003.212987891.0000000005783000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp, Shipping Doc.exe, 00000002.00000003.218511303.0000000005785000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Shipping Doc.exe, 00000002.00000003.218593004.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.comc
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Shipping Doc.exe, 00000002.00000003.214716683.000000000579B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comI
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Shipping Doc.exe, 00000002.00000003.220043454.0000000005785000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.282249267.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419D60 NtCreateFile,	4_2_00419D60
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419E10 NtReadFile,	4_2_00419E10
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419E90 NtClose,	4_2_00419E90
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419F40 NtAllocateVirtualMemory,	4_2_00419F40
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419D5B NtCreateFile,	4_2_00419D5B
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419E8B NtClose,	4_2_00419E8B
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00419F3A NtAllocateVirtualMemory,	4_2_00419F3A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_053D9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9540 NtReadFile,LdrInitializeThunk,	15_2_053D9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D99A0 NtCreateSection,LdrInitializeThunk,	15_2_053D99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D95D0 NtClose,LdrInitializeThunk,	15_2_053D95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_053D9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9840 NtDelayExecution,LdrInitializeThunk,	15_2_053D9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_053D9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_053D9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_053D9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_053D9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9650 NtQueryValueKey,LdrInitializeThunk,	15_2_053D9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A50 NtCreateFile,LdrInitializeThunk,	15_2_053D9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_053D96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D96D0 NtCreateKey,LdrInitializeThunk,	15_2_053D96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DAD30 NtSetContextThread,	15_2_053DAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9520 NtWaitForSingleObject,	15_2_053D9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9560 NtWriteFile,	15_2_053D9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9950 NtQueueApcThread,	15_2_053D9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D95F0 NtQueryInformationFile,	15_2_053D95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D99D0 NtCreateProcessEx,	15_2_053D99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9820 NtEnumerateKey,	15_2_053D9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DB040 NtSuspendThread,	15_2_053DB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D98A0 NtWriteVirtualMemory,	15_2_053D98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D98F0 NtReadVirtualMemory,	15_2_053D98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9730 NtQueryVirtualMemory,	15_2_053D9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DA710 NtOpenProcessToken,	15_2_053DA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9B00 NtSetValueKey,	15_2_053D9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9770 NtSetInformationFile,	15_2_053D9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DA770 NtOpenThread,	15_2_053DA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9760 NtOpenProcess,	15_2_053D9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053DA3B0 NtGetContextThread,	15_2_053DA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D97A0 NtUnmapViewOfSection,	15_2_053D97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A20 NtResumeThread,	15_2_053D9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9610 NtEnumerateValueKey,	15_2_053D9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A10 NtQuerySection,	15_2_053D9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A00 NtProtectVirtualMemory,	15_2_053D9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9670 NtQueryInformationProcess,	15_2_053D9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053D9A80 NtOpenDirectoryObject,	15_2_053D9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219F40 NtAllocateVirtualMemory,	15_2_03219F40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219E10 NtReadFile,	15_2_03219E10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219E90 NtClose,	15_2_03219E90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219D60 NtCreateFile,	15_2_03219D60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219F3A NtAllocateVirtualMemory,	15_2_03219F3A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219E8B NtClose,	15_2_03219E8B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03219D5B NtCreateFile,	15_2_03219D5B

Detected potential crypto function

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00417164	4_2_00417164
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041E1B3	4_2_0041E1B3
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041DAB4	4_2_0041DAB4
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041D360	4_2_0041D360
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05461D55	15_2_05461D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05390D20	15_2_05390D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B4120	15_2_053B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0539F900	15_2_0539F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AD5E0	15_2_053AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053A841F	15_2_053A841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_05451002	15_2_05451002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053AB090	15_2_053AB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053CEBB0	15_2_053CEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053B6E30	15_2_053B6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321DAB4	15_2_0321DAB4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03217164	15_2_03217164
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321E1B3	15_2_0321E1B3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03202FB0	15_2_03202FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03209E40	15_2_03209E40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03202D87	15_2_03202D87
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03202D90	15_2_03202D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cscript.exe

Code function: String function: 0539B150 appears 32 times

Sample file is different than original file name gathered from version info

Source: Shipping Doc.exe, 00000002.00000000.210709159.00000000004B0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.320202534.0000000000F90000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.321211799.0000000003630000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamecscript.exe` vs Shipping Doc.exe
Source: Shipping Doc.exe, 00000004.00000002.320852896.0000000001C0F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Doc.exe
Source: Shipping Doc.exe	Binary or memory string: OriginalFilenameRemotingSurroga.exe> vs Shipping Doc.exe

Uses 32bit PE files

Source: Shipping Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Shipping Doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Shipping Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.480234994.0000000005230000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320916195.0000000001C90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.320396445.00000000014D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.319900347.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.478585925.0000000003200000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.479510604.0000000003830000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@2/2

Source: C:\Users\user\Desktop\Shipping Doc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Doc.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Doc.exe 'C:\Users\user\Desktop\Shipping Doc.exe'
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process created: C:\Users\user\Desktop\Shipping Doc.exe C:\Users\user\Desktop\Shipping Doc.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Shipping Doc.exe'	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_00414A19 push ebp; ret	4_2_00414A1C
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_004046A7 push edx; ret	4_2_004046AC
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CEB5 push eax; ret	4_2_0041CF08
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CF6C push eax; ret	4_2_0041CF72
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CF02 push eax; ret	4_2_0041CF08
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_0041CF0B push eax; ret	4_2_0041CF72
Source: C:\Users\user\Desktop\Shipping Doc.exe	Code function: 4_2_004167BF push ecx; iretd	4_2_004167C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_053ED0D1 push ecx; ret	15_2_053ED0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03214A19 push ebp; ret	15_2_03214A1C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CF02 push eax; ret	15_2_0321CF08
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CF0B push eax; ret	15_2_0321CF72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CF6C push eax; ret	15_2_0321CF72
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_032167BF push ecx; iretd	15_2_032167C4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_03214F99 pushfd ; retf	15_2_03214F9A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_032046A7 push edx; ret	15_2_032046AC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 15_2_0321CEB5 push eax; ret	15_2_0321CF08

Source: Shipping Doc.exe, jtOONAqGyrOQ0u8Ixk/bpT4mwco1CD693b7CN.cs	High entropy of concatenated method names: '.cctor', '.ctor', '.ctor', 'oPOobRO5Vf', 'xm0o4Sf5NR', 'iEhoUBHjQn', 'ijuoVsDDg2', 'MQ3opPNGI1', 'S3PoaRe2Zm', 'nWyo9cofXu'
Source: Shipping Doc.exe, RuGDW7WIWRL3vuqXmw/WrIPZ8OGPrQJVhLUng.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'rgxUTfEcE8', 'q8OZlL4Rke', 'x5iZK8bkZ8', 'G2oZhTFUiy', 'L68ZzSd862', 'V2KO3o6ooX', 'cAnOXHn0FW', 'wSEOMWMK2K'
Source: Shipping Doc.exe, hasvvCPjjpwAYaryty/EfFkrBZD9T3RSksP6r.cs	High entropy of concatenated method names: 'Rj7pMjk0RG', 'yxxppukx53', '.ctor', 'uJxMm4pXjR', 'k9lMjtoI45', 'wSjM2XIjCC', 'gO5MrDyTRD', 'KrXMRRV4g5', 'uydM6uLlM6', 'YGpMTXkEhk'
Source: Shipping Doc.exe, QSqf1GDneX5foweMTs/gdXQIRHg06sMXH3Uxd.cs	High entropy of concatenated method names: '.ctor', 'OFPUt83v9K', 'Dispose', 'mCOUJCTXYL', 'upBUseu0pH', 'HIXUhn1Ejd', 'I30U81QHfg', 'StGUGWc16P', 'X1iUOqmHqd', 'Ka0ZQEPwNI'
Source: Shipping Doc.exe, VfaCLA2tkrd397ihoB/buZV27SgYVJ8wKY7Z0.cs	High entropy of concatenated method names: 'CMppZjWBMw', 'WSepPM9SAb', 'BJApjvbu0I', 'ReYpSqXGYT', 'hp3prsATrN', 'N3op30XIBP', 'YUZpyoUrkn', 'EV6p6ZDRrC', 'S0OpzLwnNq', 'uvNabGVwIQ'
Source: Shipping Doc.exe, UNAPpRk5a6XMif56PN/tbtYLjiE15X0m3NrV3.cs	High entropy of concatenated method names: 'DownJlYGxJ', 'xuxnPXJrTV', 'w3mnbXLFql', 'fTqnDGgSIY', 'eINnmEc12d', 'nKXnd3ROy7', 'awc4e3Q42f', 'BhB4klsGCM', 'g6x4c5BQkZ', '.ctor'
Source: Shipping Doc.exe, UiJUy4BuRoHLOAKf06/xXY9csuTjhbcI1BP2L.cs	High entropy of concatenated method names: '.ctor', 'Save', 'HAK5f06my', 'Load', 'HD3dcOlu8', 'L3tKrC2Wr', 'IdyxYvcVc', 'UiJGtlVLwBaQxjgBF6', 'PIkx4Wf1QZgiV6aU4i', 'Dmh9sciVAETbBXxfFa'
Source: Shipping Doc.exe, UOdyYvecVcmermsDhZ/RyGD3cgOlu803trC2W.cs	High entropy of concatenated method names: '.ctor', 'RHvjJZq4E', 'p2nSuK03D', 'vRg006sMX', 'za8rj6Xgs', 'lcY3ZFXvZ', 'SuJyVgV3w', 'K5l6Xpqre', 'aboznP1OR', 'wKa4b4MTS2'
Source: Shipping Doc.exe, lfBAw24wG7RaGl4BUSW/LdIBF34ft0aEOrSOpS7.cs	High entropy of concatenated method names: 'Dispose', 'ab0nKv0rYl', 'QfAnxS7FmM', 'KPJntrwakq', 'hrtnJqte2T', 'get_MinimumSize', 'set_MinimumSize', 'zaruECCxke', 'AUkuQwTOtd', 'kmkuL8FL2C'
Source: Shipping Doc.exe, xP7XZx4KUcy0rZpMq7p/C89e434dqTXWooX6OT2.cs	High entropy of concatenated method names: 'e0riOZyeQf', 'PdXiWMlD76', '.ctor', 'get_BackColor', 'set_BackColor', 'get_BackgroundImage', 'set_BackgroundImage', 'get_BackgroundImageLayout', 'set_BackgroundImageLayout', 'get_Font'
Source: Shipping Doc.exe, wUV9j84txMqsOMB0RNC/O8br1u4x3ZTxpBM3GKp.cs	High entropy of concatenated method names: '.ctor', 'MStqzWqX98', 'Bbn63OwGFH', 'BinijXg983', 'zWEiSMBU7I', 'GetEditControl', 'GetEditedValue', 'LoadValues', 'SetEditStyle', 'GetEditStyle'
Source: Shipping Doc.exe, m90oD71ZT6Wr9cSLC3/BCGZxMFmXU9h9JKBRA.cs	High entropy of concatenated method names: '.ctor', 'd4MMkZMC3a', 'jwDMcNsXnd', 'Gp5MqvWKfg', 'SyIMHvh4nd', 'hUNMDI3IfP', 'mDWuCAUyBYn6ulPCLkn', 'glMALsU9egpF9gq6VvY', 'BPhg4AU0cm0xPgAcOUP', 'A1LpkmUKxjoeRJhgj5v'
Source: Shipping Doc.exe, sKgaUY4su4YTKa6GuYl/zgNK5N4JjGAZFgAu99M.cs	High entropy of concatenated method names: '.ctor', 'UbQkbXvRlm', 'IODk4e1Qh2', 'csBkUTL3tc', 'khokVDYHrG', 'Gl8i6EIG8s', 'qyCiTn1nPR', 'FE7iz1aZDQ', 'gcBwMrofCMqEqIdiR6L', 'i3QNTaoieNlxFPGbQ4d'
Source: Shipping Doc.exe, I156H44Dv8rnIOySGfK/hltbY94HHwR3afLhEhf.cs	High entropy of concatenated method names: '.ctor', 'aLPlf5n4CH', 'tIqlwf7H6m', 'tZJlo0KBRb', 'cpflU40tFN', 'wk5lV1CuJF', 'kyhlMnlNeC', 'xLolpUglD3', 'N0WlaMcuXO', 'XbElCFHsrk'
Source: Shipping Doc.exe, iTAtM84qSuFr2hs51c1/llm9gs4ch4IcMcmGnvJ.cs	High entropy of concatenated method names: 'FIv9ZZdDqG', 'gQI9PDLDlN', 'q2H9mKTBvh', 'uM89jAIc2y', 'zL49SlfPPi', 'get_Multiline', 'set_Multiline', 'get_Text', 'set_Text', '.ctor'
Source: Shipping Doc.exe, aiLmWw4VnJDnSPTNJVN/XYryxx4U6BmknteXNOa.cs	High entropy of concatenated method names: '.ctor', 'ukj9woe4c6', 'Dfu9EiQsTa', 'NuW9A6sETI', 'InitializeEditingControl', 'get_EditType', 'get_ValueType', 'get_DefaultNewRowValue', 'MmH4btFKnt5dqxSDm2G', 'hZ9OUfFVGF3Eyyj8DxB'
Source: Shipping Doc.exe, BLop0K4E7l9d1bylJUy/zJBh6F4IacA7iyEpXZO.cs	High entropy of concatenated method names: 'L5eBi4Qigv', 'ixEBkeoTbq', 'FFgBo4KGaE', 'BSVBUenW6x', 'agMBMj6JFC', 'G76Bp97jPo', 'NEABaXP8gi', 'mb7BCbn9q3', 'oorB9rEwKt', 'zx5BYqnub6'
Source: Shipping Doc.exe, vNeJVt4AWwbHEvjgGer/LdlLQ14Qf610ZIAPrJw.cs	High entropy of concatenated method names: '.ctor', 'QppedwFCcs', 'qd6eKe7iLK', 'GI4etXfotQ', 'wxEeJ5n5Hk', 'get_Multiline', 'set_Multiline', 'fOLB0NPOGK', 'okIBFsEdfE', 'A7HB1qoYTX'
Source: Shipping Doc.exe, nKYoUB4oxKLGj4jvd63/aLgWyc44ofXur00lLx1.cs	High entropy of concatenated method names: 'VsAaQxSlAF', 'D09aAvsZj4', 'LmhaLRSl8M', 'okva5IYOyq', 'HKUad6KvCc', 'CAuaKRAFBD', 'J6paxwfEfU', 'iLlatruy0f', 'YF3aJVd6Ly', 'dX9aspur2U'

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Shipping Doc.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000032098E4 second address: 00000000032098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000003209B5E second address: 0000000003209B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 5516	Thread sleep time: -39781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe TID: 6132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3340	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 1392	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Thread delayed: delay time: 39781			Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.280370116.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.273037707.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.280812513.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000000.311184656.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.279908328.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Domain query: www.davinescosmetics.com
Source: C:\Windows\explorer.exe	Domain query: www.bigdaddy.fish
Source: C:\Windows\explorer.exe	Network Connect: 208.113.204.236 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Doc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Doc.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3388			Jump to behavior

Source: explorer.exe, 00000006.00000000.262269287.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.280697838.000000000871F000.00000004.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.262650603.0000000001980000.00000002.00000001.sdmp, cscript.exe, 0000000F.00000002.479722473.0000000003C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.102.136.180	davinescosmetics.com	United States		15169	GOOGLEUS	false
208.113.204.236	www.bigdaddy.fish	United States		26347	DREAMHOST-ASUS	true

Name	Malicious	Antivirus Detection	Reputation
http://www.davinescosmetics.com/amb6/?DPt4=ZduBhxyNf/T8KdukIHnfIOdlFHQuF1EsUtpfZKs5gLBpa2z0TfcmffP3A+e7CMLv2uy0&l8B=RjAhR	false	Avira URL Cloud: safe	unknown
http://www.bigdaddy.fish/amb6/?DPt4=by49o9P4nbuTuOEn2y8q30QOI4mC2WgRQPsTiLFqW4T5eczeXRV1KBHGOAlC+0HR5lXX&l8B=RjAhR	true	Avira URL Cloud: safe	unknown
www.shopjempress.com/amb6/	true	Avira URL Cloud: safe	low

ID:	458885
Product:	CloudBasic
Start time:	20:39:22
Start date:	03.08.2021
Sample:	Shipping Doc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	159d560ff64cdb2d130b1635f4123a49
SHA1:	5762036dd01f8a63ce29557c5c0464360500c7e6
SHA256:	065252f5ed5475c89d2bff7389554a4695a85900a7a75eb98170c6a372b33ea0
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Windows Analysis Report Shipping Doc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs