Edit tour
Windows
Analysis Report
shipping doc.exe
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
- System is w10x64
- shipping doc.exe (PID: 2932 cmdline:
"C:\Users\ user\Deskt op\shippin g doc.exe" MD5: 7AD4C6133F4F75AE91BF07F65DC5F21A) - svchost.exe (PID: 3804 cmdline:
"C:\Users\ user\Deskt op\shippin g doc.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B) - explorer.exe (PID: 2580 cmdline:
C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - help.exe (PID: 8076 cmdline:
"C:\Window s\SysWOW64 \help.exe" MD5: DD40774E56D4C44B81F2DFA059285E75) - cmd.exe (PID: 6528 cmdline:
/c del "C: \Windows\S ysWOW64\sv chost.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7128 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chrome.exe (PID: 7344 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=gpu-pro cess --gpu -preferenc es=WAAAAAA AAADgAAAMA AAAAAAAAAA AAAAAAABgA AAAAAA4AAA AAAAAAAAAA AAEAAAAAAA AAAAAAAAAA AAAAAAAAAA AAAAAAAAAG AAAAAAAAAA YAAAAAAAAA AgAAAAAAAA ACAAAAAAAA AAIAAAAAAA AAA== --mo jo-platfor m-channel- handle=198 8 --field- trial-hand le=1992,i, 1068389556 1274057007 ,587839101 5423285478 ,262144 -- disable-fe atures=Opt imizationG uideModelD ownloading ,Optimizat ionHints,O ptimizatio nHintsFetc hing,Optim izationTar getPredict ion /prefe tch:2 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7408 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= storage.mo jom.Storag eService - -lang=en-U S --servic e-sandbox- type=servi ce --mojo- platform-c hannel-han dle=2548 - -field-tri al-handle= 1992,i,106 8389556127 4057007,58 7839101542 3285478,26 2144 --dis able-featu res=Optimi zationGuid eModelDown loading,Op timization Hints,Opti mizationHi ntsFetchin g,Optimiza tionTarget Prediction /prefetch :8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7468 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=rendere r --enable -chrome-ca rt --disab le-nacl -- first-rend erer-proce ss --lang= en-US --de vice-scale -factor=1 --num-rast er-threads =2 --enabl e-main-fra me-before- activation --rendere r-client-i d=6 --time -ticks-at- unix-epoch =-17147346 11839441 - -launch-ti me-ticks=1 82597864 - -mojo-plat form-chann el-handle= 3040 --fie ld-trial-h andle=1992 ,i,1068389 5561274057 007,587839 1015423285 478,262144 --disable -features= Optimizati onGuideMod elDownload ing,Optimi zationHint s,Optimiza tionHintsF etching,Op timization TargetPred iction /pr efetch:1 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7512 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=rendere r --enable -chrome-ca rt --disab le-nacl -- lang=en-US --device- scale-fact or=1 --num -raster-th reads=2 -- enable-mai n-frame-be fore-activ ation --re nderer-cli ent-id=5 - -time-tick s-at-unix- epoch=-171 4734611839 441 --laun ch-time-ti cks=182602 404 --mojo -platform- channel-ha ndle=3016 --field-tr ial-handle =1992,i,10 6838955612 74057007,5 8783910154 23285478,2 62144 --di sable-feat ures=Optim izationGui deModelDow nloading,O ptimizatio nHints,Opt imizationH intsFetchi ng,Optimiz ationTarge tPredictio n /prefetc h:1 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7588 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=rendere r --extens ion-proces s --enable -chrome-ca rt --disab le-nacl -- lang=en-US --device- scale-fact or=1 --num -raster-th reads=2 -- enable-mai n-frame-be fore-activ ation --re nderer-cli ent-id=9 - -time-tick s-at-unix- epoch=-171 4734611839 441 --laun ch-time-ti cks=182837 962 --mojo -platform- channel-ha ndle=4392 --field-tr ial-handle =1992,i,10 6838955612 74057007,5 8783910154 23285478,2 62144 --di sable-feat ures=Optim izationGui deModelDow nloading,O ptimizatio nHints,Opt imizationH intsFetchi ng,Optimiz ationTarge tPredictio n /prefetc h:1 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7804 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=rendere r --enable -chrome-ca rt --disab le-nacl -- disable-gp u-composit ing --lang =en-US --d evice-scal e-factor=1 --num-ras ter-thread s=2 --enab le-main-fr ame-before -activatio n --render er-client- id=10 --ti me-ticks-a t-unix-epo ch=-171473 4611839441 --launch- time-ticks =183415711 --mojo-pl atform-cha nnel-handl e=4880 --f ield-trial -handle=19 92,i,10683 8955612740 57007,5878 3910154232 85478,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:1 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- chrome.exe (PID: 3744 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 7352 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2188 --fi eld-trial- handle=199 2,i,106838 9556127405 7007,58783 9101542328 5478,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
{"C2 list": ["www.steam.help/ba94/"], "decoy": ["dxtra.shop", "upfromhere-eventsdecor.com", "blacksevenkoeln.shop", "pcboards2024.xyz", "posteo.lol", "naservus.com", "pivotance.com", "90ans.com", "ebenezer-remodeling.com", "reddragondao.com", "gspotshop.com", "thesiamesebetta.biz", "rrdhq.com", "greenislandservices.info", "prismotrov.com", "elaqbh.shop", "sosenfantscovidlong.com", "elmsolarsavings.com", "sol-casino-2023.club", "sharecroipper.top", "yqwija.info", "eat-smile.com", "idj257.com", "popenza.com", "bingpueng.website", "odty744.net", "ooqowerh.com", "primetechinnovationllc.com", "themvpcatalyst.us", "spesandosupermercato.com", "arwile.com", "pachecoarquitectos.com", "csrhzs.com", "citylinechimneythorntonpa.us", "apocalypticsigil.us", "shareebrooksphotography.com", "hjgd.xyz", "vertexoffice.com", "xn--vf4b25j89a162a.com", "fijula.com", "odvip666.bet", "sekutvk5ks.top", "creditscorewizards.com", "happyjon.com", "18plusmovies.com", "xn--vr-jc9iv7k9yrlb465i.net", "saga-launchs.app", "liyinghao.cc", "binpc6.club", "schatzaviation.com", "employeefeedback.link", "whatpixels.com", "humidityflash.site", "seraph.live", "6lsamr.vip", "hmi29.top", "galaxyprofituk.com", "educationman.me", "heelfixkit.com", "jacobmcfarland.dev", "kso032.com", "fdue.store", "yourreicapital.com", "ac6a2qa.cc"]}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
Click to see the 17 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
Click to see the 15 entries |
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |
Source: | Author: vburov: |
Timestamp: | 05/03/24-13:21:55.842360 |
SID: | 2031412 |
Source Port: | 49775 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:17:09.040524 |
SID: | 2031412 |
Source Port: | 49767 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:15:40.646435 |
SID: | 2031412 |
Source Port: | 49763 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:21:15.044041 |
SID: | 2031412 |
Source Port: | 49773 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:16:02.495913 |
SID: | 2031412 |
Source Port: | 49764 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:20:54.448926 |
SID: | 2031412 |
Source Port: | 49772 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:15:18.562499 |
SID: | 2031412 |
Source Port: | 49762 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:18:53.201198 |
SID: | 2031412 |
Source Port: | 49770 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:22:16.535005 |
SID: | 2031412 |
Source Port: | 49776 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:14:56.862627 |
SID: | 2031412 |
Source Port: | 49761 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:19:52.944033 |
SID: | 2031412 |
Source Port: | 49771 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:16:25.590027 |
SID: | 2031412 |
Source Port: | 49765 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:16:47.256119 |
SID: | 2031412 |
Source Port: | 49766 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:21:35.663952 |
SID: | 2031412 |
Source Port: | 49774 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Timestamp: | 05/03/24-13:17:49.792172 |
SID: | 2031412 |
Source Port: | 49768 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Avira URL Cloud: | ||
Source: | Avira URL Cloud: |
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Code function: | 0_2_0014DBBE | |
Source: | Code function: | 0_2_001568EE | |
Source: | Code function: | 0_2_0015698F | |
Source: | Code function: | 0_2_0014D076 | |
Source: | Code function: | 0_2_0014D3A9 | |
Source: | Code function: | 0_2_00159642 | |
Source: | Code function: | 0_2_0015979D | |
Source: | Code function: | 0_2_00159B2B | |
Source: | Code function: | 0_2_00155C97 |
Networking |
---|
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Source: | URLs: |
Source: | DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: | ||
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | Code function: | 0_2_0015CE44 |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |