Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FedEx.com

Overview

General Information

Sample Name:FedEx.com (renamed file extension from com to exe)
Analysis ID:626183
MD5:917aa80e03e09b1d2b6619cc62cdbe22
SHA1:4124f6fa2d81e4f3db5bc62099fe4f03f71f091f
SHA256:57f4cf106379977932d3ca39bfceb27bf66b55b60465f3a6560d71983709ecea
Tags:exeformbookmodiloaderxloader
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • FedEx.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\FedEx.exe" MD5: 917AA80E03E09B1D2B6619CC62CDBE22)
    • logagent.exe (PID: 4356 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Rvsuben.exe (PID: 6372 cmdline: "C:\Users\Public\Libraries\Rvsuben.exe" MD5: 917AA80E03E09B1D2B6619CC62CDBE22)
          • logagent.exe (PID: 3676 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
        • Rvsuben.exe (PID: 7156 cmdline: "C:\Users\Public\Libraries\Rvsuben.exe" MD5: 917AA80E03E09B1D2B6619CC62CDBE22)
          • DpiScaling.exe (PID: 5892 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
        • WWAHost.exe (PID: 6004 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 1624 cmdline: /c del "C:\Windows\SysWOW64\logagent.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • autofmt.exe (PID: 5564 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • cmmon32.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
        • mstsc.exe (PID: 6092 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\nebusvR.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x57:$hotkey: \x0AHotKey=7
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\nebusvR.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
SourceRuleDescriptionAuthorStrings
0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001F.00000002.662948879.00000000032D0000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18819:$sqlite3step: 68 34 1C 7B E1
    • 0x1892c:$sqlite3step: 68 34 1C 7B E1
    • 0x18848:$sqlite3text: 68 38 2A 90 C5
    • 0x1896d:$sqlite3text: 68 38 2A 90 C5
    • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
    00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000016.00000002.643656925.0000000010410000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8fa2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x16345:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15df1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x16447:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x165bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x99ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1506c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa732:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b997:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ca9a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00