Play interactive tourEdit tour
Windows Analysis Report purchase Order.xlsm
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic with higher score
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Injects a PE file into a foreign processes
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Excel documents contains an embedded macro which executes code when the document is opened
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: FormBook |
---|
{"C2 list": ["www.art-for-a-cause.com/m5cw/"], "decoy": ["stolpfabriken.com", "aromaessentialco.com", "rmcclaincpa.com", "wuruixin.com", "sidhyanticlasses.com", "horilka.store", "organic-outlaws.com", "customsoftwarelogistics.com", "cheryltesting.com", "thecompacthomegym.com", "the22yards.club", "quickloanprovidersservices.com", "grippyent.com", "guard-usa.com", "agircredit.com", "classificationmetallurgie.com", "quizzesandcode.com", "catdanos.com", "8676789.rest", "gotbestshavlngplansforyou.com", "supboarddesign.com", "byrdemailplans.xyz", "anngola.com", "milelefoods.com", "runawaypklyau.xyz", "redesignyourpain.com", "yourtv2ship.info", "jxypc.com", "lerjighjuij.store", "spiruline-shop.com", "qarziba-therapy.care", "hardayumangosteen.com", "freevolttech.com", "xiongbaosp.xyz", "balanzasdeplataforma.com", "johnathanmanney.com", "estcequecestgreen.com", "france-temps-partage.net", "fbiicrc.com", "privateairjets.com", "xn--5m4a23skoc.group", "andrewmurnane.com", "exitin90.com", "depofmvz.com", "bosphorus.website", "aragon.store", "nrnmuhendislik.com", "thesharingcorporation.com", "tccraft.online", "carjabber.com", "limitlesschurchbf.com", "dazalogistics.com", "x-play.club", "bitterbay.net", "forwardhcd.com", "smance.xyz", "netgearcloud.net", "wellaspiron.com", "heidelay.xyz", "qknzutohbtro.mobi", "epurhybrid.com", "pelitupmukaeksklusif.com", "secondave.online", "lockdownshowdown.online"]}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 26 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 28 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: Execution from Suspicious Folder | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine | Show sources |
Source: | Author: James Pemberton / @4A616D6573: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Sigma detected: T1086 PowerShell Execution | Show sources |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Yara detected FormBook | Show sources |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Antivirus detection for URL or domain | Show sources |
Source: | Avira URL Cloud: |
Multi AV Scanner detection for domain / URL | Show sources |
Source: | Virustotal: | Perma Link |
Antivirus detection for dropped file | Show sources |
Source: | Avira: | ||
Source: | Avira: |
Multi AV Scanner detection for dropped file | Show sources |
Source: | ReversingLabs: | ||
Source: | ReversingLabs: |
Machine Learning detection for dropped file | Show sources |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | Memory has grown: |
Networking: |
---|
C2 URLs / IPs found in malware configuration | Show sources |
Source: | URLs: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |