Loading ...

Play interactive tourEdit tour

Windows Analysis Report r#U00e1pida confirmaci#U00f3n.exe

Overview

General Information

Sample Name:r#U00e1pida confirmaci#U00f3n.exe
Analysis ID:552958
MD5:3e9eee8807a79ad0134c1a6402927ffa
SHA1:c89df349f144a0cce0dce3a47efc5a9e37b46d56
SHA256:c7014edceec0fbe638312dcec8b8d1f0a5bf88dd282fc8ae9ec5d375820d270d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

DBatLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected DBatLoader
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • r#U00e1pida confirmaci#U00f3n.exe (PID: 6584 cmdline: "C:\Users\user\Desktop\r#U00e1pida confirmaci#U00f3n.exe" MD5: 3E9EEE8807A79AD0134C1A6402927FFA)
    • DpiScaling.exe (PID: 5040 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Wktcfujipy.exe (PID: 5840 cmdline: "C:\Users\user\Contacts\Wktcfujipy.exe" MD5: 3E9EEE8807A79AD0134C1A6402927FFA)
          • DpiScaling.exe (PID: 7160 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
        • Wktcfujipy.exe (PID: 7108 cmdline: "C:\Users\user\Contacts\Wktcfujipy.exe" MD5: 3E9EEE8807A79AD0134C1A6402927FFA)
          • DpiScaling.exe (PID: 5408 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
        • autofmt.exe (PID: 404 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • colorcpl.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 6596 cmdline: /c del "C:\Windows\SysWOW64\DpiScaling.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5244 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 3736 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
        • cscript.exe (PID: 4136 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.my163111.com/ariv/"], "decoy": ["validationlinkedterms.xyz", "essentialpraxis.com", "kjbservicesmn.com", "wikiofgames.com", "familiapena2475.com", "xn--yckc3am9f2et438ajmxc.xyz", "fluxmmaoffers.com", "absampee43.com", "videofx.store", "metropolitanprofitness.com", "fc8fla8kzq.com", "espotplay.com", "ammarus.com", "tangerineharbor.com", "esvengineers.com", "bullfrogoutdoors.com", "beefdiets.quest", "958kk.com", "triptoursportsaid.com", "vestontalons.com", "macallanwhiskysuppliers.com", "documentrus.com", "suddennnnnnnnnnnn36.xyz", "68127.online", "fombge.com", "tigatek-ev.com", "absender.digital", "remote-soc.com", "allfivestarnails.com", "opurtnsdqr.icu", "druvajtteet.quest", "cplbet168.xyz", "tomrose.net", "official-dyson.online", "downlownft.com", "bettingsoftwareshop.com", "in-cranium.com", "nouvec.com", "timberwolfcanada.com", "theprosperityrevolution.com", "yourfamilylook.com", "comidie.com", "mytechmadesimple.com", "builtbyfable.com", "arsebangers.com", "drbnkrs.com", "allcoasttowingfl.com", "old038359222.com", "abodhakujena.com", "newearthhg.com", "letyoursoulcontrol.com", "insight-j.com", "adfslab.cloud", "glowiebyher.com", "weixiaotuo.com", "fltsavionics.com", "stuiversuitvaart.com", "csrrealestatemx.com", "hairbeauty-city.com", "calwim.com", "linwuyayz.com", "interstate-ts.com", "mien-atelier.com", "neatbourbonpodcast.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
r#U00e1pida confirmaci#U00f3n.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Contacts\ypijufctkW.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x58:$hotkey: \x0AHotKey=1
    • 0x0:$url_explicit: [InternetShortcut]
    C:\Users\user\Contacts\ypijufctkW.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x14:$file: URL=
    • 0x0:$url_explicit: [InternetShortcut]
    C:\Users\user\Contacts\Wktcfujipy.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000000.692224490.0000000072480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000004.00000000.692224490.0000000072480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000004.00000000.692224490.0000000072480000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        0000000B.00000000.750809389.0000000072480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          0000000B.00000000.750809389.0000000072480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 127 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          11.0.DpiScaling.exe.72480000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            11.0.DpiScaling.exe.72480000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            11.0.DpiScaling.exe.72480000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
            • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
            • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
            • 0x16af8:$sqlite3text: 68 38 2A 90 C5
            • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
            • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
            • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
            4.0.DpiScaling.exe.72480000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              4.0.DpiScaling.exe.72480000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00