top title background image
flash

formbook_payload.exe

Status: finished
Submission Time: 2020-09-23 14:41:58 +02:00
Malicious
Trojan
Evader
FormBook

Comments

Tags

Details

  • Analysis ID:
    289093
  • API (Web) ID:
    473299
  • Analysis Started:
    2020-09-23 14:41:59 +02:00
  • Analysis Finished:
    2020-09-23 14:52:39 +02:00
  • MD5:
    d6a689d265ef751ef429e140ac05cfff
  • SHA1:
    541c663afddfa3e55b6f83d1bc96a32bbb449a09
  • SHA256:
    fd0877627dc7213734ca8d6f6585ff8ef6e4ed8301a21bc570f39100d0c143a8
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
malicious
Score: 100
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01

Third Party Analysis Engines

malicious

IPs

IP Country Detection
13.251.251.159
United States
35.242.251.130
United States
162.144.235.163
United States
Click to see the 5 hidden entries
93.89.224.166
Turkey
34.102.136.180
United States
184.168.131.241
United States
23.227.38.32
Canada
3.12.100.242
United States

Domains

Name IP Detection
www.chsepd.com
0.0.0.0
www.cartmedical.com
0.0.0.0
www.offerswap.online
0.0.0.0
Click to see the 21 hidden entries
www.esrasuaklier.xyz
0.0.0.0
www.summitcreators.com
0.0.0.0
www.slothzzz.com
0.0.0.0
www.xfgyzzm.icu
0.0.0.0
www.dynamosdills.com
0.0.0.0
www.mynetlfis.info
0.0.0.0
www.binaxnowcovid19.com
0.0.0.0
www.vaytiennhanhhn.com
0.0.0.0
www.grepreps.com
0.0.0.0
www.hbozoom.com
0.0.0.0
hbozoom.com
34.102.136.180
summitcreators.com
162.144.235.163
binaxnowcovid19.com
184.168.131.241
balancer.wixdns.net
35.242.251.130
chsepd.com
184.168.131.241
cartmedical.com
34.102.136.180
esrasuaklier.xyz
93.89.224.166
dns.ladipage.com
13.251.251.159
slothzzz.com
23.227.38.32
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
3.12.100.242
www.harpoonchicken.com
66.96.162.138

URLs

Name Detection
http://www.grepreps.com/agwz/?MnZ=GXLtz&LZND0=CH0nB3OluF49qRSz/OLk4EtJPMsMaw/iehJ+yYvfoA68c6qhDghDV8r53EnzBlz3EcTe
http://www.esrasuaklier.xyz/agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz
http://www.dynamosdills.com/agwz/?LZND0=yQ4M83h6mCL3szU05+AlLjJXCO7kj/quc7kP2vOtrjUS7HiKS67pwsdhPNRwpMvgRme+&MnZ=GXLtz
Click to see the 48 hidden entries
http://www.hbozoom.com/agwz/?MnZ=GXLtz&LZND0=y/yg6nca0XsCzu0iO/J1iPqqOPJ8yJtAtZIup4o9k847awKGzQIlIjJ6GOEhZcKx61/V
http://www.chsepd.com/agwz/?LZND0=hqqbBV0tUnbf1XYheYmcmAHV7six6FgMl/GeeF/i6LtxzIqJ3tJ1B/UEqdy/W9gVRkC4&MnZ=GXLtz
http://www.summitcreators.com/agwz/?MnZ=GXLtz&LZND0=9QCoIfa5iCzEbN3Z+R0VQ9gIeVK3nbjlwZ/eYJgsZnRvtJdKzbJpmDYy8yv6f2R6bfqj
http://www.vaytiennhanhhn.com/agwz/?MnZ=GXLtz&LZND0=Of2aIFEqGqaZSU01tED2zDtUGS2BuTTC4sd6snsFqGWk/fnR2snxkIG75VHf2UAJ0o1B
http://www.slothzzz.com/agwz/?LZND0=Nm1g+Cr7PxAWjMuG/lXz57InbucQImWyPlJ6lo+2AgUBGhOlnrczzCcW0Z0mOFR6lVtp&MnZ=GXLtz
http://www.cartmedical.com/agwz/?MnZ=GXLtz&LZND0=XyP58VnLar4+RAv/d7RGEOqH4pOR5mj5cf5OeBalLJidQaj9Eoj8z9kojfq3myKrE19m
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.fontbureau.com
http://www.apache.org/licenses/LICENSE-2.0
http://www.autoitscript.com/autoit3/J
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://www.sakkal.com
http://www.urwpp.deDPlease
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
http://www.carterandcone.coml
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.founder.com.cn/cn
http://www.fontbureau.com/designers/frere-jones.html
http://www.jiyu-kobo.co.jp/
http://www.fontbureau.com/designers8
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
http://www.typography.netD
http://www.fontbureau.com/designersG
http://www.fontbureau.com/designers/?
http://www.founder.com.cn/cn/bThe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
http://www.fontbureau.com/designers?
http://www.tiro.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
http://www.fontbureau.com/designers
http://www.goodfont.co.kr
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
http://www.sajatypeworks.com
http://www.zhongyicts.com.cn
http://www.founder.com.cn/cn/cThe
http://www.galapagosdesign.com/staff/dennis.htm
http://fontfabrik.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
http://www.galapagosdesign.com/DPlease
http://www.%s.comPA
http://www.fonts.com
http://www.sandoll.co.kr
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_formbook_payload_2ad36f1db2fadfb3a57e38280b737dd9b81d1f_0c7cfe27_07e8461e\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD7.tmp.dmp
Mini DuMP crash report, 15 streams, Wed Sep 23 21:42:50 2020, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER371B.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 1 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER38E1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#