Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
U8RYIwIvfK.exe

Overview

General Information

Sample Name:U8RYIwIvfK.exe
Analysis ID:736964
MD5:6f53598b9c19b30a0cf3ff0432301708
SHA1:4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
SHA256:6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • U8RYIwIvfK.exe (PID: 5840 cmdline: C:\Users\user\Desktop\U8RYIwIvfK.exe MD5: 6F53598B9C19B30A0CF3FF0432301708)
    • aspnet_compiler.exe (PID: 5140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 6124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 4120 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ept-egy.com/zx85/"], "decoy": ["myclassly.com", "rilcon.xyz", "miracleun.shop", "gadgetward-usa.com", "farmaacademy.com", "dreamsolutions.group", "fffood.online", "ziggnl.site", "cherpol.com", "imprescriptible-tienoscope.biz", "yztc.fun", "chicagonftweek.com", "zz0659.com", "hznaixi.com", "027-seo.net", "korlekded.com", "gelatoitaly.com", "finlitguru.com", "gupingapp.com", "manmakecoffee.com", "yuanwei.lol", "cargovoyager.com", "getjobzz.com", "dagatructiephd.com", "mynab.mobi", "masteralbert.com", "rtugwmt0cs.vip", "uscanvas.net", "nocrytech.com", "canadaroi.com", "archivegamer.com", "crossinspectionservices.com", "dxxws.com", "rufflyfedogtraining.com", "prgrn.dev", "bwdcourses.com", "criptomexico.com", "elisabethingram.online", "drationa.shop", "pulsarthermalscope.shop", "grcpp8vyuk.vip", "sh-whyyl.com", "in-cdn.xyz", "aquatabdouro.online", "handsomeshooterjewelry.com", "erug.store", "trueimpact.studio", "taskalso.com", "dzslqdz.xyz", "barbushing.com", "freightxpert.com", "777703.xyz", "bradysproducts.com", "teensforcp.site", "gpssystemecuador.com", "luxslides.com", "sony8ktv.monster", "baxiservisim.xyz", "lojascacau.com", "sfanci.com", "magdrade.com", "jobreadyfresher.com", "dori-maniacs.com", "mercydm.mobi"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x5251:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x17839:$sqlite3step: 68 34 1C 7B E1
    • 0x1794c:$sqlite3step: 68 34 1C 7B E1
    • 0x17868:$sqlite3text: 68 38 2A 90 C5
    • 0x1798d:$sqlite3text: 68 38 2A 90 C5
    • 0x1787b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 26 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.0.aspnet_compiler.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.aspnet_compiler.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:50.115.174.192192.168.2.6443497042018856 11/03/22-12:39:59.450093
        SID:2018856
        Source Port:443
        Destination Port:49704
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.2.68.8.8.859575532012811 11/03/22-12:39:56.025984
        SID:2012811
        Source Port:59575
        Destination Port:53
        Protocol:UDP
        Classtype:Potentially Bad Traffic

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: U8RYIwIvfK.exeReversingLabs: Detection: 43%
        Source: U8RYIwIvfK.exeVirustotal: Detection: 38%Perma Link
        Yara detected FormBook
        Source: Yara matchFile source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Antivirus detection for URL or domain
        Source: https://tgc8x.tk/tt/ptrr.txtAvira URL Cloud: Label: phishing
        Source: https://tgc8x.tk/tt/BLACKDEV.txtAvira URL Cloud: Label: phishing
        Multi AV Scanner detection for domain / URL
        Source: tgc8x.tkVirustotal: Detection: 5%Perma Link
        Source: https://tgc8x.tkVirustotal: Detection: 6%Perma Link
        Machine Learning detection for sample
        Source: U8RYIwIvfK.exeJoe Sandbox ML: detected