Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.17207 (renamed file extension from 17207 to exe)
Analysis ID:626424
MD5:14848f52302c15e27b26fee5fada11c1
SHA1:04d62d915bd1a81c4b5ed35df6edb953107398c8
SHA256:4ac982ea35522a13de30ff7ddbbec9becf2c7528a48f0aff377e3d6758a7ae7b
Tags:exe
Infos:

Detection

FormBook
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe (PID: 5944 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe" MD5: 14848F52302C15E27B26FEE5FADA11C1)
    • miylwnpd.exe (PID: 3908 cmdline: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl MD5: FF4C2F4D6E1FA34E8B958993C0DE134D)
      • miylwnpd.exe (PID: 1900 cmdline: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl MD5: FF4C2F4D6E1FA34E8B958993C0DE134D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18809:$sqlite3step: 68 34 1C 7B E1
    • 0x1891c:$sqlite3step: 68 34 1C 7B E1
    • 0x18838:$sqlite3text: 68 38 2A 90 C5
    • 0x1895d:$sqlite3text: 68 38 2A 90 C5
    • 0x1884b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18973:$sqlite3blob: 68 53 D8 7F 8C

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.miylwnpd.exe.2cb0000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      1.2.miylwnpd.exe.2cb0000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x7e08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8192:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15535:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14fe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15637:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x157af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x8baa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1425c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9922:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bc8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      1.2.miylwnpd.exe.2cb0000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17a09:$sqlite3step: 68 34 1C 7B E1
      • 0x17b1c:$sqlite3step: 68 34 1C 7B E1
      • 0x17a38:$sqlite3text: 68 38 2A 90 C5
      • 0x17b5d:$sqlite3text: 68 38 2A 90 C5
      • 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
      1.2.miylwnpd.exe.2cb0000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.miylwnpd.exe.2cb0000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8c08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x16335:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x16437:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x165af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x99aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1505c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa722:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ca8a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 1 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}
        Multi AV Scanner detection for submitted file
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeVirustotal: Detection: 41%Perma Link
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeReversingLabs: Detection: 34%
        Yara detected FormBook
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeVirustotal: Detection: 20%Perma Link
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeReversingLabs: Detection: 24%
        Source: 1.2.miylwnpd.exe.2cb0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\sltck\alpfsb\pnlp\5a4eb681595f48a7816b70c325f39788\dfkzie\sffldbix\Release\sffldbix.pdb source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmp, miylwnpd.exe, 00000001.00000000.230322990.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000002.00000000.232221642.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, nsaF211.tmp.0.dr, miylwnpd.exe.0.dr
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B

        Networking

        barindex
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: www.beamaster.info/p0ip/
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040580F

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E18901_2_002E1890
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E9C121_2_002E9C12
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E96A01_2_002E96A0
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E7E881_2_002E7E88
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002EC3BD1_2_002EC3BD
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002EA1841_2_002EA184
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002EB3F11_2_002EB3F1
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeVirustotal: Detection: 41%
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeReversingLabs: Detection: 34%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeJump to behavior
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeProcess created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeProcess created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtbl
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeProcess created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtblJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeProcess created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtblJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCommand line argument: ^F.1_2_002E45B0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeFile created: C:\Users\user\AppData\Local\Temp\nsaF210.tmpJump to behavior
        Source: classification engineClassification label: mal84.troj.winEXE@5/4@0/0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404ABB
        Source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\sltck\alpfsb\pnlp\5a4eb681595f48a7816b70c325f39788\dfkzie\sffldbix\Release\sffldbix.pdb source: SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exe, 00000000.00000002.242790346.0000000000788000.00000004.00000001.01000000.00000003.sdmp, miylwnpd.exe, 00000001.00000000.230322990.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000001.00000002.233550962.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, miylwnpd.exe, 00000002.00000000.232221642.00000000002EE000.00000002.00000001.01000000.00000004.sdmp, nsaF211.tmp.0.dr, miylwnpd.exe.0.dr
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E2445 push ecx; ret 1_2_002E2458
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeFile created: C:\Users\user\AppData\Local\Temp\miylwnpd.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_002E1890
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-6461
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D7A
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,0_2_004069A4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeAPI call chain: ExitProcess graph end nodegraph_0-3509
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeAPI call chain: ExitProcess graph end nodegraph_1-6463
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E7A95 IsDebuggerPresent,1_2_002E7A95
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_002E558A
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E86ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_002E86ED
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E439B SetUnhandledExceptionFilter,1_2_002E439B
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_002E43CC
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeProcess created: C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\miylwnpd.exe C:\Users\user\AppData\Local\Temp\zehirtblJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E3283 cpuid 1_2_002E3283
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.8452.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403646
        Source: C:\Users\user\AppData\Local\Temp\miylwnpd.exeCode function: 1_2_002E3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_002E3EC8

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.miylwnpd.exe.2cb0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000001.00000002.233653327.0000000002CB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts2
        Command and Scripting Interpreter        		Path Interception1
        Access Token Manipulation        		1
        Access Token Manipulation        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium1
        Encrypted Channel        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default Accounts1
        Native API        		Boot or Logon Initialization Scripts11
        Process Injection        		11
        Process Injection        		LSASS Memory13
        Security Software Discovery        		Remote Desktop Protocol1
        Clipboard Data        		Exfiltration Over Bluetooth1
        Application Layer Protocol        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
        Obfuscated Files or Information        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Software Packing        		NTDS14
        System Information Discovery        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 626424