Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f2wWJWlU2B.exe

Overview

General Information

Sample Name:f2wWJWlU2B.exe
Original Sample Name:86aa79c05ad10f311c2c4d97ddc40d8fb048d25271d68387608aff6600bb5ac4.exe
Analysis ID:841050
MD5:0b0596f72accd0b8b6883ffd1ef44d19
SHA1:893932aa47cbf2d9e502a0edba41d44bf8d1c5a8
SHA256:86aa79c05ad10f311c2c4d97ddc40d8fb048d25271d68387608aff6600bb5ac4
Tags:exeFormbook
Infos:

Detection

Clipboard Hijacker, Stealerium
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Stealerium
Malicious sample detected (through community Yara rule)
Sigma detected: Capture Wi-Fi password
Yara detected Clipboard Hijacker
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
.NET source code references suspicious native API functions
Yara detected Costura Assembly Loader
Contains functionality to log keystrokes (.Net Source)
Tries to harvest and steal WLAN passwords
Modifies existing user documents (likely ransomware behavior)
May check the online IP address of the machine
.NET source code contains potential unpacker
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Checks if the current process is being debugged
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

  • System is w10x64
  • f2wWJWlU2B.exe (PID: 3616 cmdline: C:\Users\user\Desktop\f2wWJWlU2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19)
    • f2wWJWlU2B.exe (PID: 2992 cmdline: C:\Users\user\Desktop\f2wWJWlU2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19)
    • f2wWJWlU2B.exe (PID: 6628 cmdline: C:\Users\user\Desktop\f2wWJWlU2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19)
    • f2wWJWlU2B.exe (PID: 6632 cmdline: C:\Users\user\Desktop\f2wWJWlU2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19)
    • f2wWJWlU2B.exe (PID: 6648 cmdline: C:\Users\user\Desktop\f2wWJWlU2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19)
    • f2wWJWlU2B.exe (PID: 1876 cmdline: C:\Users\user\Desktop\f2wWJWlU2B.exe MD5: 0B0596F72ACCD0B8B6883FFD1EF44D19)
      • cmd.exe (PID: 6284 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 6652 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
        • netsh.exe (PID: 2344 cmdline: netsh wlan show profile MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
        • findstr.exe (PID: 6512 cmdline: findstr All MD5: 8B534A7FC0630DE41BB1F98C882C19EC)
      • cmd.exe (PID: 4728 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)