Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe (PID: 5808 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.W in32.Crypt erX-gen.24 274.13707. exe MD5: 630FFD21C1DE8A583A4E1627B8AC6534) - powershell.exe (PID: 1436 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" A dd-MpPrefe rence -Exc lusionPath "C:\Users \user\AppD ata\Roamin g\owFIYUUG .exe MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 3492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1092 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\owFIY UUG" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmpE80 B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe (PID: 1044 cmdline:
C:\Users\u ser\Deskto p\Securite Info.com.W in32.Crypt erX-gen.24 274.13707. exe MD5: 630FFD21C1DE8A583A4E1627B8AC6534)
- owFIYUUG.exe (PID: 5580 cmdline:
C:\Users\u ser\AppDat a\Roaming\ owFIYUUG.e xe MD5: 630FFD21C1DE8A583A4E1627B8AC6534) - schtasks.exe (PID: 2204 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\owFIY UUG" /XML "C:\Users\ user\AppDa ta\Local\T emp\tmp2BC B.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 2940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - owFIYUUG.exe (PID: 4764 cmdline:
C:\Users\u ser\AppDat a\Roaming\ owFIYUUG.e xe MD5: 630FFD21C1DE8A583A4E1627B8AC6534) - explorer.exe (PID: 3324 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - msiexec.exe (PID: 5544 cmdline:
C:\Windows \SysWOW64\ msiexec.ex e MD5: 12C17B5A5C2A7B97342C362CA467E9A2) - cmd.exe (PID: 1380 cmdline:
/c del "C: \Users\use r\AppData\ Roaming\ow FIYUUG.exe " MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 3492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
{"C2 list": ["www.shinecleaningasheville.com/f9r5/"], "decoy": ["teknotimur.com", "zuliboo.com", "remmingtoncampbell.com", "vehicletitleloansphoenix.com", "sen-computer.com", "98731.biz", "shelikesblu.com", "canis-totem.com", "metaversemedianetwork.com", "adsdu.com", "vanishmediasystems.com", "astewaykebede.com", "wszhongxue.com", "gacha-animator-free.com", "papatyadekorasyon.com", "mqc168.top", "simplebrilliantsolutions.com", "jubileehawkesprairie.com", "ridflab.com", "conboysfilm.com", "iseemerit.world", "airhbb.com", "haveyourshare.com", "qcstcsz.com", "attorneykarinaramirez.com", "patriziabartelle.com", "dcc.coop", "hdzz.top", "treesandstarsoracle.com", "rebarunikont.com", "achivego.site", "baipiao100.com", "menslibwrty.com", "insulationtraining.online", "horseflix.club", "suxyqyu.xyz", "sqoki.com", "ffbsjhvbsjhbvsajv.xyz", "beapest.cfd", "4892166.com", "dvdmediastar.com", "hotwomensearching4u.site", "cupompetlover.com", "terrapretasales.com", "joinsequene.com", "powerkitap.com", "jonjene.com", "wqcwgl.com", "utahexotics.com", "ballerboutique.com", "cftronline.com", "gettidaladvance.site", "anagladstonedesign.com", "bunsi-figura.store", "ttvip-13.net", "cmjysx-uqps.website", "ifealafia.com", "carlospainter.com", "elitetrio.xyz", "inggridangelia.com", "leporebaq.com", "youpinhang.com", "palm3d.net", "wo567567.com"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Click to see the 32 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste | Detects executables potentially checking for WinJail sandbox window | ditekSHen |
| |
JoeSecurity_AntiVM_3 | Yara detected AntiVM_3 | Joe Security | ||
Click to see the 15 entries |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
⊘No Snort rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | ReversingLabs: |
Source: | Joe Sandbox ML: |
Source: | Joe Sandbox ML: |
Source: | Avira: |
Source: | Malware Configuration Extractor: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | URLs: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: |