Windows Analysis Report IMG-000284794.exe

Overview

General Information

Sample Name:	IMG-000284794.exe
Analysis ID:	553254
MD5:	abd28466f7cb80d6da36fed9f3e6bef4
SHA1:	fb2911028f32b2b3c07004a21e84773e3efd1519
SHA256:	5686f840b9b2834952367cd9c37ec4c8385bcc90348dd3a92e488c0faebed85a
Tags:	exexloader
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Writes to foreign memory regions

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Sample file is different than original file name gathered from version info

One or more processes crash

May sleep (evasive loops) to hinder dynamic analysis

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.129qihu.com/c6si/"], "decoy": ["tristateinc.construction", "americanscaregroundstexas.com", "kanimisoshiru.com", "wihling.com", "fishcheekstosa.com", "parentsfuid.com", "greenstandmarket.com", "fc8fla8kzq.com", "gametwist-83.club", "jobsncvs.com", "directrealtysells.com", "avida2015.com", "conceptasite.net", "arkaneattire.com", "indev-mobility.info", "2160centurypark412.com", "valefloor.com", "septembership.com", "stackflix.com", "jimc0sales.net", "socialviralup.com", "lastra41.com", "juliaepaulovaocasar.com", "jurisagora.com", "drawandgrow.online", "rebekahlouise.com", "herport-fr.com", "iphone13.webcam", "appz-one.net", "inpost-pl.net", "promocion360fitness.com", "global-forbes.biz", "diamondtrade.net", "albertcantos.com", "gtgits.com", "travel-ai.online", "busipe6.com", "mualikesubvn.com", "niftyhandy.com", "docprops.com", "lido88.bet", "baywoodphotography.com", "cargosouq.info", "newsnowlive.online", "floridafishingoverboard.com", "missnikissalsa.net", "walletvalidate.space", "kissimmeeinternationalcup.com", "charterhome.school", "gurujupiter.com", "entertainmentwitchy.com", "jokeaou.com", "sugarmountainfirearms.com", "iss-sa.com", "smittyssierra.com", "freedomoff.com", "giftoin.com", "realitystararmwrestling.com", "salsalunch-equallyage.com", "ladouba.com", "thepropertygoat.com", "bestofmerrick.guide", "4the.top", "regioinversiones.com"]}

Multi AV Scanner detection for submitted file

Source: IMG-000284794.exe

Virustotal: Detection: 34%

Perma Link

Yara detected FormBook

Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Source: IMG-000284794.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: IMG-000284794.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: IMG-000284794.exe
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.370158072.0000000004E11000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.129qihu.com/c6si/

Source: Amcache.hve.19.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: IMG-000284794.exe, bonkers/Program.cs	Large array initialization: .cctor: array initializer size 77824
Source: IMG-000284794.exe, bonkers/Program.cs	Large array initialization: .cctor: array initializer size 223232
Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.cs	Large array initialization: .cctor: array initializer size 77824
Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.cs	Large array initialization: .cctor: array initializer size 223232

Yara signature match

Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.0.aspnet_regbrowsers.exe.600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 16.2.aspnet_regbrowsers.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.361422282.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.391762498.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.361776680.0000000000600000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.364298420.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.363861751.0000000000601000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Sample file is different than original file name gathered from version info

Source: IMG-000284794.exe, 00000000.00000000.235385293.0000000000762000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamebonkersV2.exe4 vs IMG-000284794.exe
Source: IMG-000284794.exe	Binary or memory string: OriginalFilenamebonkersV2.exe4 vs IMG-000284794.exe

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\IMG-000284794.exe

Process Stats: CPU usage > 98%

Source: IMG-000284794.exe

Virustotal: Detection: 34%

Source: IMG-000284794.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IMG-000284794.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\IMG-000284794.exe "C:\Users\user\Desktop\IMG-000284794.exe"
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6112 -s 176
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6112
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4908:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: IMG-000284794.exe, bonkers/Program.cs	.Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.IMG-000284794.exe.760000.0.unpack, bonkers/Program.cs	.Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\IMG-000284794.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 600000	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 601000	Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 410008	Jump to behavior

Source: C:\Users\user\Desktop\IMG-000284794.exe	Queries volume information: C:\Users\user\Desktop\IMG-000284794.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\IMG-000284794.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

ID:	553254
Product:	CloudBasic
Start time:	15:06:26
Start date:	14.01.2022
Sample:	IMG-000284794.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	abd28466f7cb80d6da36fed9f3e6bef4
SHA1:	fb2911028f32b2b3c07004a21e84773e3efd1519
SHA256:	5686f840b9b2834952367cd9c37ec4c8385bcc90348dd3a92e488c0faebed85a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regbrowse_f95c31a2fdc9c125db8ce65728fe31536eece7ae_029cb4bf_1487ecfd\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	5EFCD7407CCB68F5E1600CA700B71B7B	9E23AF958536F4686D7E2E7137AADFEA33808E72	08067088893A6E1F716B87FFED7D5F8678293802C5B5C36602BAD2AD0B584CAE
C:\ProgramData\Microsoft\Windows\WER\Temp\WER52C0.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Jan 14 23:08:24 2022, 0x1205a4 type	976AB1615F5656EF1055D4657F8E0A4D	3BF1FBE0A826781DB73CCE8691859300D7A6A192	182DFD5996EF301F00E42D7F6EECE00542CD533F7E6469F4D74884A13E0CCB85
C:\ProgramData\Microsoft\Windows\WER\Temp\WER56D8.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	41619F79F56F0C337AB8AC0BF82C97B0	F364E1838497D9579435AFA7B3DBE2A654BB766F	534FD25188DDD54DBDFB47C1E2455949DCF00ECEBB760142343D5B6AA7E4BC10
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5AC1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	98A255139FE144A352AAB322A336A659	8EE696116C940258519C8E79B0054266776B32C8	ABAEA5F01D9AAE87CB7B4B472DA35D2B6A4F8D2FA51334E3E6FD12F74C7E4845
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG-000284794.exe.log	ASCII text, with CRLF line terminators	2BB2F12BA5748B56A733B09151565321	3D3EC51320B4BD72C20E5472FBA4675B5BD7E550	4114743647967ADE8811D6824ABC4C9ABD4EF0177A0082BACEBFC70C53EE3B16
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	6DE45ECD67182A11CEBC37E1CA1949C7	9438D2EB075E20FDE0989078476933DBCD36D2CD	A5F2C6D80C50CF7558D993C7B5E73370ACB7729CBF0AB09946229A8AF5584022
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	4137D35BA1E9CECBDDADC65887522682	A15E11804FB79DCA2F6578269E8853E22E4D3AFF	6E930F69803F0CD00BC5997FFCCDEB773FBB661B9A0E3822E1B0B57BA782F4D4

Windows Analysis Report IMG-000284794.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs