Windows Analysis Report
KjFT0qPTo4.vbs

Overview

General Information

Sample name: KjFT0qPTo4.vbs
renamed because original name is a hash value
Original sample name: 437d16ac6fb62c138841e2ddb216dca0.vbs
Analysis ID: 1530695
MD5: 437d16ac6fb62c138841e2ddb216dca0
SHA1: 0c74d149fbd1f4f1a20ba1f962564d02a88d184f
SHA256: 2b18564d817f6070f7cdb7f29dc8ba06a96772c7ce0ea72e74c944b089bf7df4
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Avira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for domain / URL
Source: transfer.adttemp.com.br Virustotal: Detection: 5% Perma Link
Source: http://transfer.adttemp.com.br Virustotal: Detection: 5% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: Binary string: VCBJER234.pdb source: wscript.exe, 00000000.00000003.371603253.0000000003ED3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371785671.000000000476B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371651218.0000000003BCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371908468.0000000004410000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.364263905.00000000012F2000.00000020.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr
Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: stream.SaveToFile filePath, 2 ' Overwrite existing file
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /hUkry/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: global traffic HTTP traffic detected: GET /hUkry/sirdeeeeee.txt HTTP/1.1Host: transfer.adttemp.com.brConnection: Keep-Alive
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002794000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://transfer.adttemp.com.brX
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: temp_executable.exe, 00000002.00000002.371005073.0000000000550000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://transfer.adttemp.com.br
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txt
Source: temp_executable.exe, 00000002.00000002.371150308.0000000002777000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txtX~
Source: unknown Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown HTTPS traffic detected: 104.196.109.209:443 -> 192.168.2.22:49163 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042C563 NtClose, 3_2_0042C563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F07AC NtCreateMutant,LdrInitializeThunk, 3_2_022F07AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFAE8 NtQueryInformationProcess,LdrInitializeThunk, 3_2_022EFAE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFB68 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_022EFB68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EF9F0 NtClose,LdrInitializeThunk, 3_2_022EF9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFDC0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_022EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F0060 NtQuerySection, 3_2_022F0060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F0078 NtResumeThread, 3_2_022F0078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F0048 NtProtectVirtualMemory, 3_2_022F0048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F00C4 NtCreateFile, 3_2_022F00C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F10D0 NtOpenProcessToken, 3_2_022F10D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F010C NtOpenDirectoryObject, 3_2_022F010C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F1148 NtOpenThread, 3_2_022F1148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F01D4 NtSetValueKey, 3_2_022F01D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFA20 NtQueryInformationFile, 3_2_022EFA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFA50 NtEnumerateValueKey, 3_2_022EFA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFAB8 NtQueryValueKey, 3_2_022EFAB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFAD0 NtAllocateVirtualMemory, 3_2_022EFAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFB50 NtCreateKey, 3_2_022EFB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFBB8 NtQueryInformationToken, 3_2_022EFBB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFBE8 NtQueryVirtualMemory, 3_2_022EFBE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EF8CC NtWaitForSingleObject, 3_2_022EF8CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EF938 NtWriteFile, 3_2_022EF938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F1930 NtSetContextThread, 3_2_022F1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EF900 NtReadFile, 3_2_022EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFE24 NtWriteVirtualMemory, 3_2_022EFE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFEA0 NtReadVirtualMemory, 3_2_022EFEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFED0 NtAdjustPrivilegesToken, 3_2_022EFED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFF34 NtQueueApcThread, 3_2_022EFF34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFFB4 NtCreateSection, 3_2_022EFFB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFFFC NtCreateProcessEx, 3_2_022EFFFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFC30 NtOpenProcess, 3_2_022EFC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFC60 NtMapViewOfSection, 3_2_022EFC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFC48 NtSetInformationFile, 3_2_022EFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F0C40 NtGetContextThread, 3_2_022F0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFC90 NtUnmapViewOfSection, 3_2_022EFC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFD5C NtEnumerateKey, 3_2_022EFD5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022EFD8C NtDelayExecution, 3_2_022EFD8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F1D80 NtSuspendThread, 3_2_022F1D80
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 2_2_002C9970 2_2_002C9970
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 2_2_002C8148 2_2_002C8148
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 2_2_002C1A60 2_2_002C1A60
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Code function: 2_2_002C16D0 2_2_002C16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402350 3_2_00402350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0042EB83 3_2_0042EB83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040FCFB 3_2_0040FCFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00404486 3_2_00404486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040FD03 3_2_0040FD03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402E60 3_2_00402E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004166B3 3_2_004166B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040FF23 3_2_0040FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040DFA3 3_2_0040DFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023A1238 3_2_023A1238
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022FE2E9 3_2_022FE2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02302305 3_2_02302305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0234A37B 3_2_0234A37B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02307353 3_2_02307353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023A63BF 3_2_023A63BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022FF3CF 3_2_022FF3CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023263DB 3_2_023263DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0232D005 3_2_0232D005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0231905A 3_2_0231905A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02303040 3_2_02303040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022FE0C6 3_2_022FE0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0234A634 3_2_0234A634
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023A2622 3_2_023A2622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02304680 3_2_02304680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0230E6C1 3_2_0230E6C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0230C7BC 3_2_0230C7BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0238579A 3_2_0238579A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023357C3 3_2_023357C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0233D47D 3_2_0233D47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02335485 3_2_02335485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02311489 3_2_02311489
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0230351F 3_2_0230351F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02346540 3_2_02346540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0231C5F0 3_2_0231C5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023B3A83 3_2_023B3A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02327B00 3_2_02327B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023ACBA4 3_2_023ACBA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0238DBDA 3_2_0238DBDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022FFBD7 3_2_022FFBD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0232286D 3_2_0232286D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0230C85C 3_2_0230C85C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0239F8EE 3_2_0239F8EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02385955 3_2_02385955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023029B2 3_2_023029B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023A098E 3_2_023A098E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023169FE 3_2_023169FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02332E2F 3_2_02332E2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0231EE4C 3_2_0231EE4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02310F3F 3_2_02310F3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0232DF7C 3_2_0232DF7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02330D3B 3_2_02330D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0230CD5B 3_2_0230CD5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0239FDDD 3_2_0239FDDD
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 02343F92 appears 108 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0234373B appears 238 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 022FE2A8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0236F970 appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 022FDF5C appears 118 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: KjFT0qPTo4.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: temp_executable.exe.0.dr, AesHelper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, AesHelper.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@5/1@1/1
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Mutant created: NULL
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\KjFT0qPTo4.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe"
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Binary string: VCBJER234.pdb source: wscript.exe, 00000000.00000003.371603253.0000000003ED3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371785671.000000000476B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371651218.0000000003BCE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.371908468.0000000004410000.00000004.00000020.00020000.00000000.sdmp, temp_executable.exe, 00000002.00000000.364263905.00000000012F2000.00000020.00000001.01000000.00000006.sdmp, temp_executable.exe.0.dr
Source: Binary string: wntdll.pdb source: RegAsm.exe, RegAsm.exe, 00000003.00000002.455555321.00000000022E0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))})
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))})
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777263)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777264)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.XHncqS7IVGrlk(16777245))})
Binary contains a suspicious time stamp
Source: temp_executable.exe.0.dr Static PE information: 0xB915B30D [Fri May 25 21:30:53 2068 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004030E0 push eax; ret 3_2_004030E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041488D pushfd ; iretd 3_2_0041488F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401966 push esi; iretd 3_2_00401967
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00402179 push ss; retf 3_2_0040213D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00415AE7 pushad ; ret 3_2_00415AE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040D4C7 push edx; ret 3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040D4CD push edx; ret 3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004154B9 push edi; retf 3_2_004154BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00418DD0 push ebp; ret 3_2_00418DE6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040D589 push edx; ret 3_2_0040D514
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004116BB push edi; retf 3_2_004116BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00413FC3 push edi; ret 3_2_00413FCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022FDFA1 push ecx; ret 3_2_022FDFB4
Source: temp_executable.exe.0.dr, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: temp_executable.exe.0.dr, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.3ee4a70.0.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'D4r4O0AxSI', 'CwecqSo7Q1xXT', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.3.wscript.exe.4446a90.2.raw.unpack, R2mIapWar4cwoqqx6Q.cs High entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob Jump to behavior
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\temp_executable.exe Jump to dropped file
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 2C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 2710000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: 3C0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02340101 rdtsc 3_2_02340101
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Window / User API: threadDelayed 495 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 3300 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3364 Thread sleep count: 495 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe TID: 3328 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3400 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_02340101 rdtsc 3_2_02340101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_022F07AC NtCreateMutant,LdrInitializeThunk, 3_2_022F07AC
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_023026F8 mov eax, dword ptr fs:[00000030h] 3_2_023026F8
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: temp_executable.exe.0.dr Jump to dropped file
.NET source code references suspicious native API functions
Source: temp_executable.exe.0.dr, ProcessExecutor.cs Reference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs Reference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
Source: temp_executable.exe.0.dr, ProcessExecutor.cs Reference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Temp\temp_executable.exe "C:\Users\user\AppData\Local\Temp\temp_executable.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\temp_executable.exe Queries volume information: C:\Users\user\AppData\Local\Temp\temp_executable.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.455484382.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.455450302.0000000000270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1530695 Sample: KjFT0qPTo4.vbs Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 21 Multi AV Scanner detection for domain / URL 2->21 23 Malicious sample detected (through community Yara rule) 2->23 25 Yara detected FormBook 2->25 27 5 other signatures 2->27 7 wscript.exe 2 2->7         started        process3 file4 17 C:\Users\user\AppData\...\temp_executable.exe, PE32 7->17 dropped 29 Benign windows process drops PE files 7->29 31 Windows Scripting host queries suspicious COM object (likely to drop second stage) 7->31 33 Suspicious execution chain found 7->33 11 temp_executable.exe 12 2 7->11         started        signatures5 process6 dnsIp7 19 transfer.adttemp.com.br 104.196.109.209, 443, 49163 GOOGLEUS United States 11->19 35 Antivirus detection for dropped file 11->35 37 Installs new ROOT certificates 11->37 39 Machine Learning detection for dropped file 11->39 41 3 other signatures 11->41 15 RegAsm.exe 11->15         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.196.109.209
 transfer.adttemp.com.br United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
transfer.adttemp.com.br 104.196.109.209 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://transfer.adttemp.com.br/hUkry/sirdeeeeee.txt false
    		unknown