Windows Analysis Report
RQ#0000081024.exe

Overview

General Information

Sample name: RQ#0000081024.exe
Analysis ID: 1530843
MD5: afda2fbebda1a749606f6ce43c8a5f80
SHA1: 1da6ec72807e777b861da6f7c5da4649d602c9f3
SHA256: 3bc0fd76571c3ba9e61ad10154498bf6a55e95bf15980cd5b63b427581d20350
Infos:

Detection

FormBook
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: RQ#0000081024.exe ReversingLabs: Detection: 79%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: RQ#0000081024.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RQ#0000081024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Sample file is different than original file name gathered from version info
Source: RQ#0000081024.exe, 00000000.00000003.1682797234.000000000485D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RQ#0000081024.exe
Source: RQ#0000081024.exe, 00000000.00000003.1683958108.00000000046B3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RQ#0000081024.exe
Uses 32bit PE files
Source: RQ#0000081024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal84.troj.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\RQ#0000081024.exe File created: C:\Users\user\AppData\Local\Temp\outvaunts Jump to behavior
Source: RQ#0000081024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RQ#0000081024.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RQ#0000081024.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\RQ#0000081024.exe File read: C:\Users\user\Desktop\RQ#0000081024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RQ#0000081024.exe "C:\Users\user\Desktop\RQ#0000081024.exe"
Source: C:\Users\user\Desktop\RQ#0000081024.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RQ#0000081024.exe"
Source: C:\Users\user\Desktop\RQ#0000081024.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RQ#0000081024.exe" Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: RQ#0000081024.exe Static file information: File size 1330145 > 1048576
Source: Binary string: wntdll.pdbUGP source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp
PE file contains an invalid checksum
Source: RQ#0000081024.exe Static PE information: real checksum: 0xa2135 should be: 0x150ea1

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\RQ#0000081024.exe API/Special instruction interceptor: Address: 3F2153C
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 2840 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: RQ#0000081024.exe, 00000000.00000003.1684972198.0000000000A70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\RQ#0000081024.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\RQ#0000081024.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F33008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RQ#0000081024.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RQ#0000081024.exe" Jump to behavior
Source: RQ#0000081024.exe Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1530843 Sample: RQ#0000081024.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 84 11 Malicious sample detected (through community Yara rule) 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected FormBook 2->15 17 2 other signatures 2->17 6 RQ#0000081024.exe 1 2->6         started        process3 signatures4 19 Writes to foreign memory regions 6->19 21 Maps a DLL or memory area into another process 6->21 23 Switches to a custom stack to bypass stack traces 6->23 9 svchost.exe 6->9         started        process5
No contacted IP infos