Edit tour

Windows Analysis Report
RQ#0000081024.exe

Overview

General Information

Sample name:	RQ#0000081024.exe
Analysis ID:	1530843
MD5:	afda2fbebda1a749606f6ce43c8a5f80
SHA1:	1da6ec72807e777b861da6f7c5da4649d602c9f3
SHA256:	3bc0fd76571c3ba9e61ad10154498bf6a55e95bf15980cd5b63b427581d20350
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

RQ#0000081024.exe (PID: 4480 cmdline: "C:\Users\user\Desktop\RQ#0000081024.exe" MD5: AFDA2FBEBDA1A749606F6CE43C8A5F80)

svchost.exe (PID: 5296 cmdline: "C:\Users\user\Desktop\RQ#0000081024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2fb73:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17b72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c4d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x144cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\RQ#0000081024.exe", CommandLine: "C:\Users\user\Desktop\RQ#0000081024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RQ#0000081024.exe", ParentImage: C:\Users\user\Desktop\RQ#0000081024.exe, ParentProcessId: 4480, ParentProcessName: RQ#0000081024.exe, ProcessCommandLine: "C:\Users\user\Desktop\RQ#0000081024.exe", ProcessId: 5296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\RQ#0000081024.exe", CommandLine: "C:\Users\user\Desktop\RQ#0000081024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\RQ#0000081024.exe", ParentImage: C:\Users\user\Desktop\RQ#0000081024.exe, ParentProcessId: 4480, ParentProcessName: RQ#0000081024.exe, ProcessCommandLine: "C:\Users\user\Desktop\RQ#0000081024.exe", ProcessId: 5296, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RQ#0000081024.exe

ReversingLabs: Detection: 79%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RQ#0000081024.exe

Joe Sandbox ML: detected

Source: RQ#0000081024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: RQ#0000081024.exe, 00000000.00000003.1682797234.000000000485D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RQ#0000081024.exe
Source: RQ#0000081024.exe, 00000000.00000003.1683958108.00000000046B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RQ#0000081024.exe

Source: RQ#0000081024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\RQ#0000081024.exe

File created: C:\Users\user\AppData\Local\Temp\outvaunts

Jump to behavior

Source: RQ#0000081024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RQ#0000081024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RQ#0000081024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RQ#0000081024.exe

ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\RQ#0000081024.exe

File read: C:\Users\user\Desktop\RQ#0000081024.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RQ#0000081024.exe "C:\Users\user\Desktop\RQ#0000081024.exe"
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RQ#0000081024.exe"
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RQ#0000081024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RQ#0000081024.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\RQ#0000081024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: RQ#0000081024.exe

Static file information: File size 1330145 > 1048576

Source:	Binary string: wntdll.pdbUGP source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RQ#0000081024.exe, 00000000.00000003.1684774258.0000000004730000.00000004.00001000.00020000.00000000.sdmp, RQ#0000081024.exe, 00000000.00000003.1683958108.0000000004590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1733124909.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1690708168.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1688661384.0000000003600000.00000004.00000020.00020000.00000000.sdmp

Source: RQ#0000081024.exe

Static PE information: real checksum: 0xa2135 should be: 0x150ea1

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\RQ#0000081024.exe

API/Special instruction interceptor: Address: 3F2153C

Source: C:\Windows\SysWOW64\svchost.exe TID: 2840

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: RQ#0000081024.exe, 00000000.00000003.1684972198.0000000000A70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RQ#0000081024.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RQ#0000081024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F33008

Jump to behavior

Source: C:\Users\user\Desktop\RQ#0000081024.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\RQ#0000081024.exe"

Jump to behavior

Source: RQ#0000081024.exe

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	212 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	11 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RQ#0000081024.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
RQ#0000081024.exe	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530843
Start date and time:	2024-10-10 15:49:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RQ#0000081024.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/1@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

VT rate limit hit for: RQ#0000081024.exe

Simulations

Behavior and APIs

Time	Type	Description
09:50:27	API Interceptor	3x Sleep call for process: svchost.exe modified

Process:	C:\Users\user\Desktop\RQ#0000081024.exe
File Type:	data
Category:	dropped
Size (bytes):	289792
Entropy (8bit):	7.9962947853131405
Encrypted:	true
SSDEEP:	6144:e6kW7m2Z3dn6XEKojdOwSyA77AfqWaUlx+2Fljg7dW:eZk6XErSyAAiWaUrbjg5W
MD5:	2826FE8397C33344C95A30D564CD21B9
SHA1:	823C8D81F7F1EC66014AE93A4CA8F58C18B4AB4A
SHA-256:	9D10BE022ECEF701D45AA89D661170E87635695355A6DFCADF2E3A32D4530C12
SHA-512:	861462F57F402B29924942777C6D9E62845A2CA92433B221A58335545234023EBA4869722C037EDBF18BFED1E15C28678AA6CDF050CC5BF1CD2996111AB44E71
Malicious:	false
Reputation:	low
Preview:	.....R6AS...K....h.E5..\|7D...MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3.DAPIM.OS.Q.c.3..ua-_<w)&[+:&^m' >)=Ba13xB7!.9_tq.eo:60QbEJ9iDAPGR6AWQ../U..4R../0.N..}S.[...!4.B...0V.g,U'j93.LHG3MDAP..6A.WY00...1T5E6OWY.4NIL2FDA.CR6ASVX0BO.D1T5U6OW)P4LH.3MTAPGP6AUVX0BO2P7T5E6OWYTDHHG1MDAPGR4A..X0RO2@1T5E&OWIT4LHG3]DAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0l;W(ET5E..SYT$LHGiIDA@GR6ASVX0BO2P1T.E6/WYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASVX0BO2P1T5E6OWYT4LHG3MDAPGR6ASV

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.5133798301143555
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RQ#0000081024.exe
File size:	1'330'145 bytes
MD5:	afda2fbebda1a749606f6ce43c8a5f80
SHA1:	1da6ec72807e777b861da6f7c5da4649d602c9f3
SHA256:	3bc0fd76571c3ba9e61ad10154498bf6a55e95bf15980cd5b63b427581d20350
SHA512:	400ba3074e79c56ab23675cca1b2146206228a79c855936c028d73098b8fa7a86b0ae223a5f78af2a334593ae3833f4e2b3377bb070c2fcb4f7b9d13ad453d4c
SSDEEP:	24576:ffmMv6Ckr7Mny5QLkoXdnuQNDxnElrR4WKLe/lLoEj1oWZ106q:f3v+7/5QLkoNuQhx2DF/ZOWZ1q
TLSH:	1755F112F7D680B6EDA33971293BE32ADB3575194337C48BA7E02E778E211409B36761
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	1733312925935517

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F2814E7487Ch
jmp 00007F2814E6864Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2814E687DAh
cmp edi, eax
jc 00007F2814E6897Ah
cmp ecx, 00000100h
jc 00007F2814E687F1h
cmp dword ptr [004A94E0h], 00000000h
je 00007F2814E687E8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F2814E687DAh
pop esi
pop edi
pop ebp
jmp 00007F2814E68C3Ah
test edi, 00000003h
jne 00007F2814E687E7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F2814E687FCh
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F2814E687DEh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F2814E6879Eh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x9298	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x9298	0x9400	f6be76de0ef2c68f397158bf01bdef3e	False	0.4896801097972973	data	5.530303089784181	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab5c8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab6f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab818	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab940	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	Great Britain	0.48109756097560974
RT_ICON	0xabfa8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	Great Britain	0.5672043010752689
RT_ICON	0xac290	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	Great Britain	0.6418918918918919
RT_ICON	0xac3b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	Great Britain	0.7044243070362474
RT_ICON	0xad260	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	Great Britain	0.8077617328519856
RT_ICON	0xadb08	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	Great Britain	0.5903179190751445
RT_ICON	0xae070	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	Great Britain	0.5503112033195021
RT_ICON	0xb0618	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	Great Britain	0.6050656660412758
RT_ICON	0xb16c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	Great Britain	0.7553191489361702
RT_MENU	0xb1b28	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xb1b78	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xb1c78	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xb21a8	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xb2838	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xb2c78	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xb3278	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xb38d8	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xb3c60	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xb3db8	0x84	data	English	Great Britain	0.6439393939393939
RT_GROUP_ICON	0xb3e40	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xb3e58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xb3e70	0x14	data	English	Great Britain	1.25
RT_VERSION	0xb3e88	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xb4028	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Target ID:	0
Start time:	09:50:22
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\RQ#0000081024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RQ#0000081024.exe"
Imagebase:	0x400000
File size:	1'330'145 bytes
MD5 hash:	AFDA2FBEBDA1A749606F6CE43C8A5F80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:50:25
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RQ#0000081024.exe"
Imagebase:	0x7a0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1728497714.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1733062546.0000000003740000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RQ#0000081024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

E-Banking Fraud

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\outvaunts

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: RQ#0000081024.exePID: 4480, Parent PID: 2580

General

Chronological Activities

Analysis Process: svchost.exePID: 5296, Parent PID: 4480

Windows Analysis Report
RQ#0000081024.exe