Loading ...

Play interactive tourEdit tour

Windows Analysis Report AfWu3i35ny.exe

Overview

General Information

Sample Name:AfWu3i35ny.exe
Analysis ID:501914
MD5:25aa37e21c29b7cff02509533b585ed7
SHA1:4374948e203cba151ebdc43e11e6e115046270e9
SHA256:740a2bc7e9c8eeed76ef0f812c6c89af35c414317d76ac5b50b28ca0728d103b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Potential malicious icon found
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • AfWu3i35ny.exe (PID: 4536 cmdline: 'C:\Users\user\Desktop\AfWu3i35ny.exe' MD5: 25AA37E21C29B7CFF02509533B585ED7)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://45.137.22.91/blm.bin"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
AfWu3i35ny.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    AfWu3i35ny.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x379b5:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x37d4f:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1ac62:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x1a74e:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1ad64:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1aedc:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x38767:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x199c9:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x394df:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x20134:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x211d7:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    AfWu3i35ny.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1d066:$sqlite3step: 68 34 1C 7B E1
    • 0x1d179:$sqlite3step: 68 34 1C 7B E1
    • 0x1d095:$sqlite3text: 68 38 2A 90 C5
    • 0x1d1ba:$sqlite3text: 68 38 2A 90 C5
    • 0x1d0a8:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1d1d0:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
      00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x369b5:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x36d4f:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x19c62:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x1974e:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x19d64:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x19edc:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x37767:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x189c9:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x384df:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1f134:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x201d7:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x1c066:$sqlite3step: 68 34 1C 7B E1
        • 0x1c179:$sqlite3step: 68 34 1C 7B E1
        • 0x1c095:$sqlite3text: 68 38 2A 90 C5
        • 0x1c1ba:$sqlite3text: 68 38 2A 90 C5
        • 0x1c0a8:$sqlite3blob: 68 53 D8 7F 8C
        • 0x1c1d0:$sqlite3blob: 68 53 D8 7F 8C
        00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.AfWu3i35ny.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            0.2.AfWu3i35ny.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x379b5:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x37d4f:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x1ac62:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x1a74e:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x1ad64:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1aedc:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x38767:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x199c9:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x394df:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x20134:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x211d7:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            0.2.AfWu3i35ny.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
            • 0x1d066:$sqlite3step: 68 34 1C 7B E1
            • 0x1d179:$sqlite3step: 68 34 1C 7B E1
            • 0x1d095:$sqlite3text: 68 38 2A 90 C5
            • 0x1d1ba:$sqlite3text: 68 38 2A 90 C5
            • 0x1d0a8:$sqlite3blob: 68 53 D8 7F 8C
            • 0x1d1d0:$sqlite3blob: 68 53 D8 7F 8C
            0.0.AfWu3i35ny.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              0.0.AfWu3i35ny.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x379b5:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x37d4f:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x1ac62:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x1a74e:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x1ad64:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x1aedc:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0x38767:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x199c9:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0x394df:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x20134:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x211d7:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              Click to see the 1 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: AfWu3i35ny.exeAvira: detected
              Found malware configurationShow sources
              Source: 00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://45.137.22.91/blm.bin"}
              Yara detected FormBookShow sources
              Source: Yara matchFile source: AfWu3i35ny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Machine Learning detection for sampleShow sources
              Source: AfWu3i35ny.exeJoe Sandbox ML: detected
              Source: 0.0.AfWu3i35ny.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen2
              Source: 0.2.AfWu3i35ny.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen2
              Source: AfWu3i35ny.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://45.137.22.91/blm.bin
              Source: AfWu3i35ny.exe, 00000000.00000002.833477625.000000000066A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: AfWu3i35ny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Malicious sample detected (through community Yara rule)Show sources
              Source: AfWu3i35ny.exe, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: AfWu3i35ny.exe, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: AfWu3i35ny.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: AfWu3i35ny.exe, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: AfWu3i35ny.exe, type: SAMPLEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: AfWu3i35ny.exe, 00000000.00000000.306480854.0000000000446000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDikter.exe vs AfWu3i35ny.exe
              Source: AfWu3i35ny.exe, 00000000.00000002.835081490.0000000002A10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDikter.exeFE2X vs AfWu3i35ny.exe
              Source: AfWu3i35ny.exeBinary or memory string: OriginalFilenameDikter.exe vs AfWu3i35ny.exe
              Source: AfWu3i35ny.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_0043802D0_2_0043802D
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_0043212D0_2_0043212D
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_0043234D0_2_0043234D
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_004303CD0_2_004303CD
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_00421E500_2_00421E50
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_00422F200_2_00422F20
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C66720_2_021C6672
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C87060_2_021C8706
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C68720_2_021C6872
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C69A60_2_021C69A6
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: String function: 0040177E appears 94 times
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess Stats: CPU usage > 98%
              Source: AfWu3i35ny.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
              Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@1/0@0/0

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000000.00000002.834854327.00000000021C0000.00000040.00000001.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_00402070 push ebx; iretd 0_2_004020D4
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_0040F87D push ds; ret 0_2_0040F8A3
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_004059C4 push cs; iretw 0_2_004059FA
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_00421DAF push eax; ret 0_2_00421DB5
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_00421E19 push eax; ret 0_2_00421E1F
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C027E push ds; iretd 0_2_021C0391
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C766E push ds; iretd 0_2_021C7688
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C030C push ds; iretd 0_2_021C0391
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C1F50 push ebp; ret 0_2_021C1F64
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C0392 push ds; iretd 0_2_021C0391
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C4FB9 pushfd ; iretd 0_2_021C4FC4
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C78EB push ebx; iretd 0_2_021C78FC
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C74E1 push edi; iretd 0_2_021C74E4
              Source: initial sampleStatic PE information: section name: .text entropy: 7.17479842318
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeRDTSC instruction interceptor: First address: 00000000021CA82E second address: 00000000021CA82E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 27162939h 0x00000007 add eax, FB6A8BD9h 0x0000000c add eax, 26ECCA53h 0x00000011 sub eax, 496D7F64h 0x00000016 cpuid 0x00000018 test cl, bl 0x0000001a popad 0x0000001b call 00007F23608F1008h 0x00000020 lfence 0x00000023 mov edx, 3E29BAC0h 0x00000028 sub edx, 048E8A76h 0x0000002e sub edx, 3246429Ah 0x00000034 xor edx, 78AAEDA4h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f cmp dl, al 0x00000041 cmp edx, D97DEC47h 0x00000047 test ah, dh 0x00000049 cmp bx, ax 0x0000004c ret 0x0000004d sub edx, esi 0x0000004f ret 0x00000050 cmp bh, ch 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dl, cl 0x0000005c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000063 jne 00007F23608F0FE3h 0x00000065 test ch, bh 0x00000067 cmp cl, 00000012h 0x0000006a call 00007F23608F10CEh 0x0000006f call 00007F23608F102Bh 0x00000074 lfence 0x00000077 mov edx, 3E29BAC0h 0x0000007c sub edx, 048E8A76h 0x00000082 sub edx, 3246429Ah 0x00000088 xor edx, 78AAEDA4h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 cmp dl, al 0x00000095 cmp edx, D97DEC47h 0x0000009b test ah, dh 0x0000009d cmp bx, ax 0x000000a0 ret 0x000000a1 mov esi, edx 0x000000a3 pushad 0x000000a4 rdtsc
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_004379AD rdtsc 0_2_004379AD

              Anti Debugging:

              barindex
              Found potential dummy code loops (likely to delay analysis)Show sources
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeProcess Stats: CPU usage > 90% for more than 60s
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021CA3C8 mov eax, dword ptr fs:[00000030h]0_2_021CA3C8
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C8012 mov eax, dword ptr fs:[00000030h]0_2_021C8012
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_021C9D8F mov eax, dword ptr fs:[00000030h]0_2_021C9D8F
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\AfWu3i35ny.exeCode function: 0_2_004379AD rdtsc 0_2_004379AD
              Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: AfWu3i35ny.exe, 00000000.00000002.833785069.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: Progmanlock

              Stealing of Sensitive Information:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: AfWu3i35ny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: AfWu3i35ny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.AfWu3i35ny.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.306440334.0000000000401000.00000020.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.833081784.0000000000401000.00000020.00020000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery21Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing2LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.