Windows Analysis Report AfWu3i35ny.exe

Overview

General Information

Sample Name:	AfWu3i35ny.exe
Analysis ID:	501914
MD5:	25aa37e21c29b7cff02509533b585ed7
SHA1:	4374948e203cba151ebdc43e11e6e115046270e9
SHA256:	740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Potential malicious icon found

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: AfWu3i35ny.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://45.137.22.91/blm.bin"}

Yara detected FormBook

Source: Yara match	File source: AfWu3i35ny.exe, type: SAMPLE
Source: Yara match	File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: AfWu3i35ny.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.0.AfWu3i35ny.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen2
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen2

Compliance:

Uses 32bit PE files

Source: AfWu3i35ny.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://45.137.22.91/blm.bin

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: AfWu3i35ny.exe, 00000000.00000002.833477625.000000000066A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: AfWu3i35ny.exe, type: SAMPLE
Source: Yara match	File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Malicious sample detected (through community Yara rule)

Source: AfWu3i35ny.exe, type: SAMPLE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: AfWu3i35ny.exe, type: SAMPLE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: AfWu3i35ny.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: AfWu3i35ny.exe, type: SAMPLE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: AfWu3i35ny.exe, type: SAMPLE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Sample file is different than original file name gathered from version info

Source: AfWu3i35ny.exe, 00000000.00000000.306480854.0000000000446000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDikter.exe vs AfWu3i35ny.exe
Source: AfWu3i35ny.exe, 00000000.00000002.835081490.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDikter.exeFE2X vs AfWu3i35ny.exe
Source: AfWu3i35ny.exe	Binary or memory string: OriginalFilenameDikter.exe vs AfWu3i35ny.exe

PE file contains strange resources

Source: AfWu3i35ny.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_0043802D	0_2_0043802D
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_0043212D	0_2_0043212D
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_0043234D	0_2_0043234D
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_004303CD	0_2_004303CD
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_00421E50	0_2_00421E50
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_00422F20	0_2_00422F20
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C6672	0_2_021C6672
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C8706	0_2_021C8706
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C6872	0_2_021C6872
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C69A6	0_2_021C69A6

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Code function: String function: 0040177E appears 94 times

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Process Stats: CPU usage > 98%

Source: AfWu3i35ny.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_00402070 push ebx; iretd	0_2_004020D4
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_0040F87D push ds; ret	0_2_0040F8A3
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_004059C4 push cs; iretw	0_2_004059FA
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_00421DAF push eax; ret	0_2_00421DB5
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_00421E19 push eax; ret	0_2_00421E1F
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C027E push ds; iretd	0_2_021C0391
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C766E push ds; iretd	0_2_021C7688
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C030C push ds; iretd	0_2_021C0391
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C1F50 push ebp; ret	0_2_021C1F64
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C0392 push ds; iretd	0_2_021C0391
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C4FB9 pushfd ; iretd	0_2_021C4FC4
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C78EB push ebx; iretd	0_2_021C78FC
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C74E1 push edi; iretd	0_2_021C74E4

Source: initial sample

Static PE information: section name: .text entropy: 7.17479842318

Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

RDTSC instruction interceptor: First address: 00000000021CA82E second address: 00000000021CA82E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27162939h 0x00000007 add eax, FB6A8BD9h 0x0000000c add eax, 26ECCA53h 0x00000011 sub eax, 496D7F64h 0x00000016 cpuid 0x00000018 test cl, bl 0x0000001a popad 0x0000001b call 00007F23608F1008h 0x00000020 lfence 0x00000023 mov edx, 3E29BAC0h 0x00000028 sub edx, 048E8A76h 0x0000002e sub edx, 3246429Ah 0x00000034 xor edx, 78AAEDA4h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f cmp dl, al 0x00000041 cmp edx, D97DEC47h 0x00000047 test ah, dh 0x00000049 cmp bx, ax 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 cmp bh, ch 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dl, cl 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007F23608F0FE3h 0x00000065 test ch, bh 0x00000067 cmp cl, 00000012h 0x0000006a call 00007F23608F10CEh 0x0000006f call 00007F23608F102Bh 0x00000074 lfence 0x00000077 mov edx, 3E29BAC0h 0x0000007c sub edx, 048E8A76h 0x00000082 sub edx, 3246429Ah 0x00000088 xor edx, 78AAEDA4h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 cmp dl, al 0x00000095 cmp edx, D97DEC47h 0x0000009b test ah, dh 0x0000009d cmp bx, ax 0x000000a0 ret 0x000000a1 mov esi, edx 0x000000a3 pushad 0x000000a4 rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Code function: 0_2_004379AD rdtsc

0_2_004379AD

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021CA3C8 mov eax, dword ptr fs:[00000030h]	0_2_021CA3C8
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C8012 mov eax, dword ptr fs:[00000030h]	0_2_021C8012
Source: C:\Users\user\Desktop\AfWu3i35ny.exe	Code function: 0_2_021C9D8F mov eax, dword ptr fs:[00000030h]	0_2_021C9D8F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\AfWu3i35ny.exe

Code function: 0_2_004379AD rdtsc

0_2_004379AD

Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: AfWu3i35ny.exe, type: SAMPLE
Source: Yara match	File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: AfWu3i35ny.exe, type: SAMPLE
Source: Yara match	File source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.137.22.91/blm.bin	true	Avira URL Cloud: safe	unknown

ID:	501914
Product:	CloudBasic
Start time:	12:07:33
Start date:	13.10.2021
Sample:	AfWu3i35ny.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	25aa37e21c29b7cff02509533b585ed7
SHA1:	4374948e203cba151ebdc43e11e6e115046270e9
SHA256:	740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report AfWu3i35ny.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs