Loading... Additional Content is being loaded
Windows
Analysis Report
#U00d6DEME FORMU.exe
Overview
General Information
| Sample Name: | #U00d6DEME FORMU.exe |
| Analysis ID: | 635282 |
| MD5: | 0204546cc8568a60d97947c5fd6ccd49 |
| SHA1: | ff7c492dd728279cd763af6fa525606431fc8db0 |
| SHA256: | eddc1ee1fafda4fe7cf6d114276c992806f33d7527d346464bad7033875fbd66 |
| Tags: | exeFormbookgeoTUR |
| Infos: |  |
 |
|
Detection
FormBook
| Score: | 96 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard
Classification
AV Detection |
  |
|---|
| Source: |
Malware Configuration Extractor: |
||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
Avira URL Cloud: |
||
| Source: |
Virustotal: |
Perma Link | ||
| Source: |
ReversingLabs: |
|||
| Source: |
Avira: |
||
| Source: |
Static PE information: |
||
| Source: |
Binary string: |
||
| Source: |
Code function: |
0_2_00405426 | |
| Source: |
Code function: |
0_2_00405D9C | |
| Source: |
Code function: |
0_2_004026A1 | |
Networking |
|
|---|
| Source: |
URLs: |
||
| Source: |
Binary or memory string: |
||
| Source: |
Code function: |
0_2_00404FDD | |
E-Banking Fraud |
|
|---|
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
System Summary |
|
|---|
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Static PE information: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Matched rule: |
||
| Source: |
Code function: |
0_2_004032FA | |
| Source: |
Code function: |
0_2_004047EE | |
| Source: |
Code function: |
0_2_00406083 | |
| Source: |
Code function: |
1_2_0102496E | |
| Source: |
Code function: |
1_2_0102959D | |
| Source: |
Code function: |
1_2_01026880 | |
| Source: |
Code function: |
1_2_010285D1 | |
| Source: |
Code function: |
1_2_010138EE | |
| Source: |
Code function: |
1_2_01026DF2 | |
| Source: |
Code function: |
1_2_01026880 | |
| Source: |
Code function: |
1_2_01026880 | |
| Source: |
Code function: |
1_2_01027364 | |
| Source: |
Code function: |
1_2_0102496E | |
| Source: |
Code function: |
1_2_010167AE | |
| Source: |
Code function: |
1_2_007F0A2C | |
| Source: |
Virustotal: |
||
| Source: |
ReversingLabs: |
||
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Static PE information: |
||
| Source: |
Key opened: |
Jump to behavior | ||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
|||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Key value queried: |
Jump to behavior | ||
| Source: |
File created: |
Jump to behavior | ||
| Source: |
Classification label: |
||
| Source: |
Code function: |
0_2_00402078 | |
| Source: |
File read: |
Jump to behavior | ||
| Source: |
Code function: |
0_2_00404333 | |
| Source: |
Binary string: |
||
| Source: |
Code function: |
1_2_0101F048 | |
| Source: |
Code function: |
0_2_00405DDA | |
| Source: |
File created: |
Jump to dropped file | ||
| Source: |
Process information set: |
Jump to behavior | ||
| Source: |
Process information set: |
Jump to behavior | ||
Malware Analysis System Evasion |
|
|---|
| Source: |
Evasive API call chain: |
||
| Source: |
Evasive API call chain: |
||
| Source: |
Code function: |
0_2_00405426 | |
| Source: |
Code function: |
0_2_00405D9C | |
| Source: |
Code function: |
0_2_004026A1 | |
| Source: |
API call chain: |
||
| Source: |
API call chain: |
||
| Source: |
Code function: |
1_2_0102457B | |
| Source: |
Code function: |
1_2_007F061D | |
| Source: |
Code function: |
1_2_007F06F7 | |
| Source: |
Code function: |
1_2_007F0772 | |
| Source: |
Code function: |
1_2_007F0736 | |
| Source: |
Code function: |
1_2_007F03F8 | |
| Source: |
Code function: |
1_2_01024395 | |
| Source: |
Code function: |
0_2_00405DDA | |
| Source: |
Code function: |
1_2_0102538A | |
| Source: |
Code function: |
1_2_010214BB | |
| Source: |
Code function: |
1_2_010214EC | |
| Source: |
Process created: |
Jump to behavior | ||
| Source: |
Code function: |
1_2_0101FE73 | |
| Source: |
Code function: |
1_2_01020FE8 | |
Stealing of Sensitive Information |
|
|---|
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
Remote Access Functionality |
|
|---|
| Source: |
File source: |
||
| Source: |
File source: |
||
| Source: |
File source: |
||
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
⊘No contacted IP infos
Contacted URLs
| Name | Malicious | Antivirus Detection | Reputation |
|---|---|---|---|
| true |
|
low |