Windows Analysis Report
vJsFBhrSfK.exe

Overview

General Information

Sample name:	vJsFBhrSfK.exe renamed because original name is a hash value
Original sample name:	65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b.exe
Analysis ID:	1519415
MD5:	f6e330ca595ee7f05ddbecb8cd851350
SHA1:	f22953cd04a52fc0cd2fc313ebfc5b329598abb0
SHA256:	65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b
Tags:	AlphaBankexeFormBookgeoGRCunpackeduser-NDA0E
Infos:

Detection

FormBook

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: vJsFBhrSfK.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: vJsFBhrSfK.exe

ReversingLabs: Detection: 52%

Yara detected FormBook

Source: Yara match	File source: vJsFBhrSfK.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.6% probability

Machine Learning detection for sample

Source: vJsFBhrSfK.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: vJsFBhrSfK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: vJsFBhrSfK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Amcache.hve.3.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: vJsFBhrSfK.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: vJsFBhrSfK.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA10D0	0_2_00DA10D0
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA10CA	0_2_00DA10CA
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DAF853	0_2_00DAF853
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DAF84A	0_2_00DAF84A
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DB61A3	0_2_00DB61A3
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA22C0	0_2_00DA22C0
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DADAF3	0_2_00DADAF3
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DAFA73	0_2_00DAFA73
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA1230	0_2_00DA1230
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA2DC0	0_2_00DA2DC0
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DCE5B3	0_2_00DCE5B3
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA2640	0_2_00DA2640
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DB7FC3	0_2_00DB7FC3

One or more processes crash

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228

PE file does not import any functions

Source: vJsFBhrSfK.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: vJsFBhrSfK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: vJsFBhrSfK.exe, type: SAMPLE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: vJsFBhrSfK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: vJsFBhrSfK.exe

Static PE information: Section .text

Source: classification engine

Classification label: mal80.troj.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6480

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\54b1d49e-d3b6-4a72-be70-9a01c7eeaaee

Jump to behavior

Source: vJsFBhrSfK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: vJsFBhrSfK.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\vJsFBhrSfK.exe "C:\Users\user\Desktop\vJsFBhrSfK.exe"
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6480 -s 228

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe

Section loaded: apphelp.dll

Jump to behavior

Source: vJsFBhrSfK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA3040 push eax; ret	0_2_00DA3042
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DB5040 push eax; iretd	0_2_00DB5043
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DA6167 push ebp; ret	0_2_00DA616B
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DB7A84 pushad ; iretd	0_2_00DB7A90
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DB7B34 pushad ; retf	0_2_00DB7B35
Source: C:\Users\user\Desktop\vJsFBhrSfK.exe	Code function: 0_2_00DB3560 push 00000076h; iretd	0_2_00DB356F

Source: vJsFBhrSfK.exe

Static PE information: section name: .text entropy: 7.69528996942639

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\vJsFBhrSfK.exe

Code function: 0_2_00DA14A0 EntryPoint,LdrInitializeThunk,

0_2_00DA14A0

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: vJsFBhrSfK.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: vJsFBhrSfK.exe, type: SAMPLE
Source: Yara match	File source: 0.0.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.vJsFBhrSfK.exe.da0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1692055755.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2104395840.0000000000DA1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1519415
Product:	CloudBasic
Start time:	14:05:39
Start date:	26.09.2024
Sample:	vJsFBhrSfK.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	f6e330ca595ee7f05ddbecb8cd851350
SHA1:	f22953cd04a52fc0cd2fc313ebfc5b329598abb0
SHA256:	65e6633b1a99bf5b6a71d8fb26ec5130b0db075c0a838301d8120e32b7ca847b
Filetype:	Win32 Executable (generic) a (10002005/4) 99.94%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vJsFBhrSfK.exe_56edd9d08eaf191b756af833f8b14cb7e7fcbecd_78d2fcfd_9f6e3fb3-e1d2-433f-9cdc-8e706dd7619e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	70B1498283104B1623DF4B91C3DE71E8	583A0ED00E0CCF97FC56CB11E89FD79603F8D6C3	AEFA12767E34FBCE720D025153FC309EB9A37B6DF6975BB3C31E2DE9850541E5
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC34.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Sep 26 12:06:32 2024, 0x1205a4 type	2C8421C47ECF678583490F669DB20CA8	2F4168C876D9DB20B97D9DD356D9479C411E54F0	F1341A8E9C526D3FAE620916E138FDF65F2666011E20C395BA188B6DCE2EAE77
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCA2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7D358C739BAEEC6DF81A10D332269750	F5D7B5C48659ABF6AAF6EA2573EEE8DF61C97DBB	4AA5D1BE99BCE9E40567C4F2BA5379A036FC5E7EC0F5B3EB3ECE8ED15F28AA3C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F86F3010FEA7118A62B370EED356DA43	934A02EA4EF06A7E10A05B2F893089B23FC0D4FF	57C12BFE08E90DFBC8F1C7FD728A57A08B7B45D6DCAC3380D02708F8371DB3C2
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	99D63B28D3B719C624BB34434CD916F3	512914D98D646105D2A0FEDBBC93F547AA1C3F84	D686B4E3ED3D0D67E6EC1BC8655BBDFC7FDF3E458AC640F4EC8D75E46DA307BF

Windows Analysis Report
vJsFBhrSfK.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report vJsFBhrSfK.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
vJsFBhrSfK.exe

Malware Threat Intel
Provided by