Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PrWP76ejHO.exe

Overview

General Information

Sample Name:PrWP76ejHO.exe
Analysis ID:756343
MD5:db102a67350060a1e967aef81118f18d
SHA1:a3131a3df17a154e41c09973ca8a9aabac29929e
SHA256:98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

  • System is w10x64
  • PrWP76ejHO.exe (PID: 1832 cmdline: C:\Users\user\Desktop\PrWP76ejHO.exe MD5: DB102A67350060A1E967AEF81118F18D)
    • iscan.exe (PID: 1764 cmdline: "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • iscan.exe (PID: 5188 cmdline: "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
        • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • iijhlev.exe (PID: 4468 cmdline: "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
            • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WerFault.exe (PID: 5096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • iijhlev.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
            • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WerFault.exe (PID: 2436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 420 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • ipconfig.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup
{"C2 list": ["www.fedefarmatour.online/dwdp/"]}
SourceRuleDescriptionAuthorStrings
00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x7d38:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x209e7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xc0c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x1960e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1940c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x18eb8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1950e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x19686:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbc91:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x18103:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1f62e:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x20751:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1b910:$sqlite3step: 68 34 1C 7B E1
    • 0x1c488:$sqlite3step: 68 34 1C 7B E1
    • 0x1b952:$sqlite3text: 68 38 2A 90 C5
    • 0x1c4cd:$sqlite3text: 68 38 2A 90 C5
    • 0x1b969:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1c4e3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 25 entries
      SourceRuleDescriptionAuthorStrings
      3.2.iscan.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.iscan.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6f38:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1fbe7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xb2c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1880e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.iscan.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x1860c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x180b8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1870e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x18886:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xae91:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17303:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1e82e:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1f951:$sequence_9: 56 68 03 01 00 00