Windows Analysis Report
Proforma Invoice_pdf.exe

Overview

General Information

Sample name: Proforma Invoice_pdf.exe
Analysis ID: 1533057
MD5: 2cc9915f2b1e52706b15d2485a644292
SHA1: 9f7e69ffd0ac1aab4ab140a65c29154936cc44f0
SHA256: e0a51dab9249aad74c757f08760efbc460508ca0442ae692d8bce498a022daf8
Infos:

Detection

FormBook
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Proforma Invoice_pdf.exe Virustotal: Detection: 28% Perma Link
Source: Proforma Invoice_pdf.exe ReversingLabs: Detection: 44%
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.389879638.00000000000F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.389902818.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: Proforma Invoice_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdb source: Proforma Invoice_pdf.exe, 00000000.00000003.355860040.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, Proforma Invoice_pdf.exe, 00000000.00000003.356145877.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.389960283.0000000000B90000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.385396854.0000000000880000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.385045719.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.389960283.0000000000A10000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile, 0_2_0044289D
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00459FFF
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard, 0_2_0046C5D0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW, 0_2_00456354
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0047C08E

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.389879638.00000000000F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.389902818.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.389879638.00000000000F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.389902818.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Proforma Invoice_pdf.exe
Source: initial sample Static PE information: Filename: Proforma Invoice_pdf.exe
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0042C9F3 NtClose, 2_2_0042C9F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A207AC NtCreateMutant,LdrInitializeThunk, 2_2_00A207AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1F9F0 NtClose,LdrInitializeThunk, 2_2_00A1F9F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FAE8 NtQueryInformationProcess,LdrInitializeThunk, 2_2_00A1FAE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FB68 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00A1FB68
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FDC0 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00A1FDC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A200C4 NtCreateFile, 2_2_00A200C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A20060 NtQuerySection, 2_2_00A20060
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A20078 NtResumeThread, 2_2_00A20078
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A20048 NtProtectVirtualMemory, 2_2_00A20048
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A201D4 NtSetValueKey, 2_2_00A201D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A2010C NtOpenDirectoryObject, 2_2_00A2010C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A20C40 NtGetContextThread, 2_2_00A20C40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A210D0 NtOpenProcessToken, 2_2_00A210D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A21148 NtOpenThread, 2_2_00A21148
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1F8CC NtWaitForSingleObject, 2_2_00A1F8CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A21930 NtSetContextThread, 2_2_00A21930
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1F938 NtWriteFile, 2_2_00A1F938
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1F900 NtReadFile, 2_2_00A1F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FAB8 NtQueryValueKey, 2_2_00A1FAB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FAD0 NtAllocateVirtualMemory, 2_2_00A1FAD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FA20 NtQueryInformationFile, 2_2_00A1FA20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FA50 NtEnumerateValueKey, 2_2_00A1FA50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FBB8 NtQueryInformationToken, 2_2_00A1FBB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FBE8 NtQueryVirtualMemory, 2_2_00A1FBE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FB50 NtCreateKey, 2_2_00A1FB50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FC90 NtUnmapViewOfSection, 2_2_00A1FC90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FC30 NtOpenProcess, 2_2_00A1FC30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FC60 NtMapViewOfSection, 2_2_00A1FC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FC48 NtSetInformationFile, 2_2_00A1FC48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A21D80 NtSuspendThread, 2_2_00A21D80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FD8C NtDelayExecution, 2_2_00A1FD8C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FD5C NtEnumerateKey, 2_2_00A1FD5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FEA0 NtReadVirtualMemory, 2_2_00A1FEA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FED0 NtAdjustPrivilegesToken, 2_2_00A1FED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FE24 NtWriteVirtualMemory, 2_2_00A1FE24
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FFB4 NtCreateSection, 2_2_00A1FFB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FFFC NtCreateProcessEx, 2_2_00A1FFFC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A1FF34 NtQueueApcThread, 2_2_00A1FF34
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00434D50
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004461ED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Detected potential crypto function
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00409A40 0_2_00409A40
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00412038 0_2_00412038
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0047E1FA 0_2_0047E1FA
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0041A46B 0_2_0041A46B
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0041240C 0_2_0041240C
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00446566 0_2_00446566
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004045E0 0_2_004045E0
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00412818 0_2_00412818
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0047CBF0 0_2_0047CBF0
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00412C38 0_2_00412C38
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00424F70 0_2_00424F70
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0041AF0D 0_2_0041AF0D
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00427161 0_2_00427161
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004212BE 0_2_004212BE
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00443390 0_2_00443390
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00443391 0_2_00443391
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0041D750 0_2_0041D750
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004037E0 0_2_004037E0
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00427859 0_2_00427859
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040F890 0_2_0040F890
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0042397B 0_2_0042397B
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00411B63 0_2_00411B63
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00423EBF 0_2_00423EBF
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_034B0380 0_2_034B0380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0042F053 2_2_0042F053
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402858 2_2_00402858
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402860 2_2_00402860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00403170 2_2_00403170
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041017B 2_2_0041017B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00410183 2_2_00410183
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401190 2_2_00401190
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416B43 2_2_00416B43
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00416B3E 2_2_00416B3E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004023D0 2_2_004023D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004103A3 2_2_004103A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00401470 2_2_00401470
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040E423 2_2_0040E423
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402540 2_2_00402540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00402539 2_2_00402539
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A2E0C6 2_2_00A2E0C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A2E2E9 2_2_00A2E2E9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AD63BF 2_2_00AD63BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A563DB 2_2_00A563DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A32305 2_2_00A32305
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A7A37B 2_2_00A7A37B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AB443E 2_2_00AB443E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AB05E3 2_2_00AB05E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A4C5F0 2_2_00A4C5F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A76540 2_2_00A76540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A34680 2_2_00A34680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A3E6C1 2_2_00A3E6C1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AD2622 2_2_00AD2622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A7A634 2_2_00A7A634
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A3C7BC 2_2_00A3C7BC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A5286D 2_2_00A5286D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A3C85C 2_2_00A3C85C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A329B2 2_2_00A329B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AD098E 2_2_00AD098E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AC49F5 2_2_00AC49F5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A469FE 2_2_00A469FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A7C920 2_2_00A7C920
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ADCBA4 2_2_00ADCBA4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AB6BCB 2_2_00AB6BCB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AD2C9C 2_2_00AD2C9C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ABAC5E 2_2_00ABAC5E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A60D3B 2_2_00A60D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A3CD5B 2_2_00A3CD5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A62E2F 2_2_00A62E2F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A4EE4C 2_2_00A4EE4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ACCFB1 2_2_00ACCFB1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AA2FDC 2_2_00AA2FDC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A40F3F 2_2_00A40F3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A5D005 2_2_00A5D005
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AAD06D 2_2_00AAD06D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A33040 2_2_00A33040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A4905A 2_2_00A4905A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ABD13F 2_2_00ABD13F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AD1238 2_2_00AD1238
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A2F3CF 2_2_00A2F3CF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A37353 2_2_00A37353
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A65485 2_2_00A65485
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A41489 2_2_00A41489
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A6D47D 2_2_00A6D47D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A3351F 2_2_00A3351F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AB579A 2_2_00AB579A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A657C3 2_2_00A657C3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AC771D 2_2_00AC771D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ACF8EE 2_2_00ACF8EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AAF8C4 2_2_00AAF8C4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AB394B 2_2_00AB394B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AB5955 2_2_00AB5955
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00AE3A83 2_2_00AE3A83
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ABDBDA 2_2_00ABDBDA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A2FBD7 2_2_00A2FBD7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A57B00 2_2_00A57B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ACFDDD 2_2_00ACFDDD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00ABBF14 2_2_00ABBF14
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A5DF7C 2_2_00A5DF7C
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A2DF5C appears 137 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A9F970 appears 84 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A7373B appears 253 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A73F92 appears 132 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00A2E2A8 appears 60 times
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: String function: 00445975 appears 65 times
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: String function: 0041171A appears 37 times
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: String function: 0041718C appears 45 times
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: String function: 0040E6D0 appears 35 times
Sample file is different than original file name gathered from version info
Source: Proforma Invoice_pdf.exe, 00000000.00000003.357258088.0000000003BBD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice_pdf.exe
Source: Proforma Invoice_pdf.exe, 00000000.00000003.356345124.0000000003D40000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Proforma Invoice_pdf.exe
Source: Proforma Invoice_pdf.exe, 00000000.00000002.357870662.000000000094B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs Proforma Invoice_pdf.exe
Uses 32bit PE files
Source: Proforma Invoice_pdf.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.389879638.00000000000F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.389902818.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal88.troj.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0044AF5C GetLastError,FormatMessageW, 0_2_0044AF5C
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle, 0_2_00464422
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState, 0_2_004364AA
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode, 0_2_0045D517
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle, 0_2_0043701F
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket, 0_2_0047A999
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 0_2_0043614F
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe File created: C:\Users\user\AppData\Local\Temp\endochylous Jump to behavior
Source: Proforma Invoice_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Proforma Invoice_pdf.exe Virustotal: Detection: 28%
Source: Proforma Invoice_pdf.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe File read: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Proforma Invoice_pdf.exe "C:\Users\user\Desktop\Proforma Invoice_pdf.exe"
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Proforma Invoice_pdf.exe"
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Proforma Invoice_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: Proforma Invoice_pdf.exe Static file information: File size 1337369 > 1048576
Source: Binary string: wntdll.pdb source: Proforma Invoice_pdf.exe, 00000000.00000003.355860040.0000000003C40000.00000004.00001000.00020000.00000000.sdmp, Proforma Invoice_pdf.exe, 00000000.00000003.356145877.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.389960283.0000000000B90000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.385396854.0000000000880000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.385045719.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.389960283.0000000000A10000.00000040.00001000.00020000.00000000.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
PE file contains an invalid checksum
Source: Proforma Invoice_pdf.exe Static PE information: real checksum: 0xa2135 should be: 0x15026c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004171D1 push ecx; ret 0_2_004171E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040C15B push 00000006h; iretd 2_2_0040C15D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00414193 push ss; ret 2_2_00414194
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004159A1 push 35D13253h; ret 2_2_004159A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00408A24 push esi; retf 2_2_00408A26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00412379 push ebx; retf 2_2_0041238C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0040531A pushad ; ret 2_2_0040532C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_004033F0 push eax; ret 2_2_004033F2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_0041A4CE push cs; retf 2_2_0041A4D2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00404CAF push ebp; iretd 2_2_00404CBC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00411EC2 push 00000018h; ret 2_2_00411ED8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00404EA1 push es; ret 2_2_00404EA2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A2DFA1 push ecx; ret 2_2_00A2DFB4
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_004772DE
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00444078 0_2_00444078
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe API/Special instruction interceptor: Address: 34AFFA4
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A70101 rdtsc 2_2_00A70101
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe API coverage: 3.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 3580 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_00452126
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose, 0_2_0045C999
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00436ADE
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00434BEE
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle, 0_2_00436D2D
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00442E1F
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0045DD7C FindFirstFileW,FindClose, 0_2_0045DD7C
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose, 0_2_0044BD29
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00475FE5
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_0044BF8D
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A70101 rdtsc 2_2_00A70101
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A207AC NtCreateMutant,LdrInitializeThunk, 2_2_00A207AC
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0045A259 BlockInput, 0_2_0045A259
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040EB70 LoadLibraryA,GetProcAddress, 0_2_0040EB70
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_034B0270 mov eax, dword ptr fs:[00000030h] 0_2_034B0270
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_034B0210 mov eax, dword ptr fs:[00000030h] 0_2_034B0210
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_034AEBF0 mov eax, dword ptr fs:[00000030h] 0_2_034AEBF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A10080 mov ecx, dword ptr fs:[00000030h] 2_2_00A10080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A100EA mov eax, dword ptr fs:[00000030h] 2_2_00A100EA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 2_2_00A326F8 mov eax, dword ptr fs:[00000030h] 2_2_00A326F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_00426DA1
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0042202E SetUnhandledExceptionFilter, 0_2_0042202E
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004230F5
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417D93
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00421FA7

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 7EFDE008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0043916A LogonUserW, 0_2_0043916A
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW, 0_2_0040D6D0
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_004375B0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event, 0_2_00436431
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Proforma Invoice_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00445DD3
Source: Proforma Invoice_pdf.exe Binary or memory string: Shell_TrayWnd
Source: Proforma Invoice_pdf.exe Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_00410D10 cpuid 0_2_00410D10
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_004223BC
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004711D2 GetUserNameW, 0_2_004711D2
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_0042039F
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_0040E470

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.389879638.00000000000F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.389902818.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
OS version to string mapping found (often used in BOTs)
Source: Proforma Invoice_pdf.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
Source: Proforma Invoice_pdf.exe Binary or memory string: WIN_XP
Source: Proforma Invoice_pdf.exe Binary or memory string: WIN_XPe
Source: Proforma Invoice_pdf.exe Binary or memory string: WIN_VISTA
Source: Proforma Invoice_pdf.exe Binary or memory string: WIN_7

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.389879638.00000000000F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.389902818.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004741BB
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket, 0_2_0046483C
Source: C:\Users\user\Desktop\Proforma Invoice_pdf.exe Code function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject, 0_2_0047AD92
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1533057 Sample: Proforma Invoice_pdf.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 88 11 Malicious sample detected (through community Yara rule) 2->11 13 Multi AV Scanner detection for submitted file 2->13 15 Yara detected FormBook 2->15 17 4 other signatures 2->17 6 Proforma Invoice_pdf.exe 1 2->6         started        process3 signatures4 19 Writes to foreign memory regions 6->19 21 Maps a DLL or memory area into another process 6->21 9 svchost.exe 6->9         started        process5
No contacted IP infos