Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe
Analysis ID:755939
MD5:f536ea8fb5b6586bb2ffc764cd52abff
SHA1:313804060f2511b8382d369a3949d5524c1adaef
SHA256:e539f80082f961c600e6ff2a21e969d0641aa787831259d3fdd772b28d469721
Tags:exe
Infos:

Detection

DBatLoader, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected DBatLoader
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
WScript reads language and country specific registry keys (likely country aware script)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe (PID: 6024 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe MD5: F536EA8FB5B6586BB2FFC764CD52ABFF)
    • wscript.exe (PID: 5988 cmdline: C:\Windows\System32\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Iuigzwjd.exe (PID: 3208 cmdline: "C:\Users\Public\Libraries\Iuigzwjd.exe" MD5: F536EA8FB5B6586BB2FFC764CD52ABFF)
          • wscript.exe (PID: 1264 cmdline: C:\Windows\System32\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • Iuigzwjd.exe (PID: 1848 cmdline: "C:\Users\Public\Libraries\Iuigzwjd.exe" MD5: F536EA8FB5B6586BB2FFC764CD52ABFF)
          • wscript.exe (PID: 5044 cmdline: C:\Windows\System32\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.brainbookgroup.com/nvp4/"]}

Threatname: DBatLoader

{"Download Url": "https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\djwzgiuI.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x58:$hotkey: \x0AHotKey=7
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\Public\Libraries\djwzgiuI.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x7d58:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x20787:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xc026:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x1954e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1934c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x18df8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1944e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x195c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbbf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x18043:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1f4fe:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x204f1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1b820:$sqlite3step: 68 34 1C 7B E1
    • 0x1c398:$sqlite3step: 68 34 1C 7B E1
    • 0x1b862:$sqlite3text: 68 38 2A 90 C5
    • 0x1c3dd:$sqlite3text: 68 38 2A 90 C5
    • 0x1b879:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1c3f3:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 6 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2720000.2.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          1.2.wscript.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.wscript.exe.10410000.3.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x7d58:$a1: 3C 30 50 4F 53 54 74 09 40
            • 0x20787:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0xc026:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            • 0x1954e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
            1.2.wscript.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x1934c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x18df8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x1944e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x195c6:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xbbf1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x18043:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x1f4fe:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x204f1:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 6 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeReversingLabs: Detection: 15%
            Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeVirustotal: Detection: 30%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Antivirus / Scanner detection for submitted sample
            Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\Public\Libraries\Iuigzwjd.exeAvira: detection malicious, Label: HEUR/AGEN.1214697
            Multi AV Scanner detection for dropped file
            Source: C:\Users\Public\Libraries\Iuigzwjd.exeReversingLabs: Detection: 15%
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\Public\Libraries\Iuigzwjd.exeJoe Sandbox ML: detected
            Source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2581218.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2720000.2.unpackAvira: Label: TR/Hijacker.Gen
            Source: 0.2.SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exe.2a2eed8.3.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeMalware Configuration Extractor: DBatLoader {"Download Url": "https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0"}
            Source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.brainbookgroup.com/nvp4/"]}
            Source: SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49694 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49695 version: TLS 1.2
            Source: Binary string: explorer.pdbUGP source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp
            Source: Binary string: wscript.pdbGCTL source: explorer.exe, 00000002.00000002.591545525.0000000015563000.00000004.00000001.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: wscript.exe, 00000001.00000003.277522589.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.279077303.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: wscript.exe, wscript.exe, 00000001.00000003.277522589.0000000004D22000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.279077303.0000000004EBD000.00000004.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.566831763.0000000005920000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.569256565.0000000005A3F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wscript.pdb source: explorer.exe, 00000002.00000002.591545525.0000000015563000.00000004.00000001.00040000.00000000.sdmp
            Source: Binary string: explorer.pdb source: wscript.exe, 00000001.00000002.572034695.0000000005D50000.00000040.00000001.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeCode function: 0_2_02725B48 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,0_2_02725B48

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.brainbookgroup.com/nvp4/
            Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewIP Address: 13.107.43.12 13.107.43.12
            Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
            Source: unknownNetwork traffic detected: HTTP traffic on port 49694 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
            Source: explorer.exe, 00000002.00000000.328190890.000000000F270000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-gen.31819.28757.exeCode function: 0_2_02738CBC InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,0_2_02738CBC
            Source: global trafficHTTP traffic detected: GET /download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21850&authkey=AEcOcvbyHqeCMT0 HTTP/1.1User-Agent: 70Host: onedrive.live.com
            Source: global trafficHTTP traffic detected: GET /y4mJr27PXKP1w7VmweyBhr9jXuXcCKUmjp-l0AjYgYvmFILscr-gs1ZCYQgPakl85NdXiyluyI2K__n-DTHXtIuKBfix9QJgWA8xZXLmTFKCzO-QrrlJfjFNlxYKvj4CV1InzMNLAsu2pDihkqbVzbigQu3lZ2fbCWy9RogAq5NxzuJ1VRoowitd9q4QmyU6H1eR5JdbJA1JsNbjwDPqFHy3g/Iuigzwjduoa?download&psid=1 HTTP/1.1User-Agent: 70Host: oyuurg.ph.files.1drv.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 13.107.43.13:443 -> 192.168.2.3:49694 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 13.107.43.12:443 -> 192.168.2.3:49695 version: TLS 1.2

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.wscript.exe.10410000.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.wscript.exe.10410000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000001.00000002.576405249.0000000010410000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.564946662.0000000004830000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary