Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Analysis ID:755940
MD5:55d6460392408d1325c18b69a91c28e3
SHA1:405847d03be406a0025eda76852dfd46420a8d7a
SHA256:d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe (PID: 3292 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe MD5: 55D6460392408D1325C18B69A91C28E3)
    • powershell.exe (PID: 1012 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1900 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5356 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • FqJXaFxwEj.exe (PID: 5516 cmdline: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: 55D6460392408D1325C18B69A91C28E3)
    • schtasks.exe (PID: 5080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • FqJXaFxwEj.exe (PID: 5108 cmdline: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: 55D6460392408D1325C18B69A91C28E3)
    • FqJXaFxwEj.exe (PID: 4460 cmdline: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: 55D6460392408D1325C18B69A91C28E3)
      • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 3628 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup
{"C2 list": ["www.madamkikkiey.net/n2hm/"]}
SourceRuleDescriptionAuthorStrings
00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x102a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x8ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x8781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x8dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x8f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x79cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xeef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1000a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0xb1d9:$sqlite3step: 68 34 1C 7B E1
      • 0xbd51:$sqlite3step: 68 34 1C 7B E1
      • 0xb21b:$sqlite3text: 68 38 2A 90 C5
      • 0xbd96:$sqlite3text: 68 38 2A 90 C5
      • 0xb232:$sqlite3blob: 68 53 D8 7F 8C
      • 0xbdac:$sqlite3blob: 68 53 D8 7F 8C