Edit tour
Windows
Analysis Report
f2wWJWlU2B.exe
Overview
General Information
Sample Name: | f2wWJWlU2B.exe |
Original Sample Name: | 86aa79c05ad10f311c2c4d97ddc40d8fb048d25271d68387608aff6600bb5ac4.exe |
Analysis ID: | 841050 |
MD5: | 0b0596f72accd0b8b6883ffd1ef44d19 |
SHA1: | 893932aa47cbf2d9e502a0edba41d44bf8d1c5a8 |
SHA256: | 86aa79c05ad10f311c2c4d97ddc40d8fb048d25271d68387608aff6600bb5ac4 |
Tags: | exeFormbook |
Infos: | |
Detection
Clipboard Hijacker, Stealerium
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Stealerium
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected Clipboard Hijacker
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
.NET source code references suspicious native API functions
Yara detected Costura Assembly Loader
Contains functionality to log keystrokes (.Net Source)
Tries to harvest and steal WLAN passwords
Modifies existing user documents (likely ransomware behavior)
May check the online IP address of the machine
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
- System is w10x64
- f2wWJWlU2B.exe (PID: 3616 cmdline:
C:\Users\u ser\Deskto p\f2wWJWlU 2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19) - f2wWJWlU2B.exe (PID: 2992 cmdline:
C:\Users\u ser\Deskto p\f2wWJWlU 2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19) - f2wWJWlU2B.exe (PID: 6628 cmdline:
C:\Users\u ser\Deskto p\f2wWJWlU 2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19) - f2wWJWlU2B.exe (PID: 6632 cmdline:
C:\Users\u ser\Deskto p\f2wWJWlU 2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19) - f2wWJWlU2B.exe (PID: 6648 cmdline:
C:\Users\u ser\Deskto p\f2wWJWlU 2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19) - f2wWJWlU2B.exe (PID: 1876 cmdline:
C:\Users\u ser\Deskto p\f2wWJWlU 2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19) - cmd.exe (PID: 6284 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow profile | findstr All MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 1248 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - chcp.com (PID: 6652 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) - netsh.exe (PID: 2344 cmdline:
netsh wlan show prof ile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807) - findstr.exe (PID: 6512 cmdline:
findstr Al l MD5: 8B534A7FC0630DE41BB1F98C882C19EC) - cmd.exe (PID: 4728 cmdline:
"cmd.exe" /C chcp 65 001 && net sh wlan sh ow network s mode=bss id MD5: F3BDBE3BB6F734E357235F4D5898582D) - conhost.exe (PID: 4416 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)