Edit tour
Windows
Analysis Report
New PO 796512.exe
Overview
General Information
| Sample name: | New PO 796512.exe |
| Analysis ID: | 1560297 |
| MD5: | 223b42adc2e6eeb342664ffa633c3a6a |
| SHA1: | 00612d9ce02cde93cd73eebcbee0deece4da3f8f |
| SHA256: | 68c3605100b20d0e04a069565f5ce7f6f55b7546f52dcf22328e3a321637e361 |
| Tags: | exeuser-threatcat_ch |
| Infos: |   |
 | |
Detection
FormBook
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match
Classification
- System is w10x64
New PO 796512.exe (PID: 4072 cmdline: "C:\Users\ user\Deskt op\New PO 796512.exe " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) 
cmd.exe (PID: 7484 cmdline: cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512" /t REG_SZ /F /D "C:\Use rs\user\Do cuments\Ne w PO 79651 2.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7492 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
reg.exe (PID: 7536 cmdline: REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512" /t REG_SZ /F /D "C:\ Users\user \Documents \New PO 79 6512.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 7560 cmdline:
cmd /c Cop y "C:\User s\user\Des ktop\New P O 796512.e xe" "C:\Us ers\user\D ocuments\N ew PO 7965 12.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7568 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.exe (PID: 7656 cmdline:
"C:\Users\ user\Deskt op\New PO 796512.exe " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) 
explorer.exe (PID: 4056 cmdline: C:\Windows \Explorer. EXE MD5: 662F4F92FDE3557E86D110526BB578D5) - autoconv.exe (PID: 7712 cmdline:
"C:\Window s\SysWOW64 \autoconv. exe" MD5: A705C2ACED7DDB71AFB87C4ED384BED6) - msdt.exe (PID: 7736 cmdline:
"C:\Window s\SysWOW64 \msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB) - cmd.exe (PID: 7808 cmdline:
/c del "C: \Users\use r\Desktop\ New PO 796 512.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7816 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.pif (PID: 7872 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 8032 cmdline:
cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512.pif" /t REG_SZ /F /D "C: \Users\use r\Document s\New PO 7 96512.pif. pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 8080 cmdline:
REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512.p if" /t REG _SZ /F /D "C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 8116 cmdline:
cmd /c Cop y "C:\User s\user\Doc uments\New PO 796512 .pif" "C:\ Users\user \Documents \New PO 79 6512.pif.p if" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 8124 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.pif (PID: 8176 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif (PID: 8188 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif (PID: 5980 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 7544 cmdline:
cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512.pif" /t REG_SZ /F /D "C: \Users\use r\Document s\New PO 7 96512.pif. pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7536 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7448 cmdline:
REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512.p if" /t REG _SZ /F /D "C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 7612 cmdline:
cmd /c Cop y "C:\User s\user\Doc uments\New PO 796512 .pif" "C:\ Users\user \Documents \New PO 79 6512.pif.p if" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7564 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.pif (PID: 2936 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif (PID: 7104 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 4048 cmdline:
"C:\Window s\SysWOW64 \cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - New PO 796512.pif.pif (PID: 5060 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 576 cmdline:
cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512.pif. pif" /t RE G_SZ /F /D "C:\Users \user\Docu ments\New PO 796512. pif.pif.pi f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 744 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 1156 cmdline:
REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512.p if.pif" /t REG_SZ /F /D "C:\Us ers\user\D ocuments\N ew PO 7965 12.pif.pif .pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 1624 cmdline:
cmd /c Cop y "C:\User s\user\Doc uments\New PO 796512 .pif.pif" "C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1504 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.pif.pif (PID: 2040 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) 
msiexec.exe (PID: 6700 cmdline: "C:\Window s\SysWOW64 \msiexec.e xe" MD5: 9D09DC1EDA745A5F87553048E57620CF) - cmd.exe (PID: 1860 cmdline:
"C:\Window s\SysWOW64 \cmd.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - New PO 796512.pif.pif (PID: 1964 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 4260 cmdline:
cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512.pif. pif" /t RE G_SZ /F /D "C:\Users \user\Docu ments\New PO 796512. pif.pif.pi f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3312 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 3084 cmdline:
REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512.p if.pif" /t REG_SZ /F /D "C:\Us ers\user\D ocuments\N ew PO 7965 12.pif.pif .pif" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5992 cmdline:
cmd /c Cop y "C:\User s\user\Doc uments\New PO 796512 .pif.pif" "C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.pif.pif (PID: 7828 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif.pif (PID: 7820 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif" MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif.pif.pif (PID: 6208 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 5144 cmdline:
cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512.pif. pif.pif" / t REG_SZ / F /D "C:\U sers\user\ Documents\ New PO 796 512.pif.pi f.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5392 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7972 cmdline:
REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512.p if.pif.pif " /t REG_S Z /F /D "C :\Users\us er\Documen ts\New PO 796512.pif .pif.pif.p if" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 8012 cmdline:
cmd /c Cop y "C:\User s\user\Doc uments\New PO 796512 .pif.pif.p if" "C:\Us ers\user\D ocuments\N ew PO 7965 12.pif.pif .pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7900 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - New PO 796512.pif.pif.pif (PID: 8060 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif.pif.pif (PID: 8040 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - New PO 796512.pif.pif.pif (PID: 8100 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - msdt.exe (PID: 7852 cmdline:
"C:\Window s\SysWOW64 \msdt.exe" MD5: BAA4458E429E7C906560FE4541ADFCFB) - mstsc.exe (PID: 8120 cmdline:
"C:\Window s\SysWOW64 \mstsc.exe " MD5: EA4A02BE14C405327EEBA8D9AD2BD42C) - New PO 796512.pif.pif.pif (PID: 8116 cmdline:
"C:\Users\ user\Docum ents\New P O 796512.p if.pif.pif " MD5: 223B42ADC2E6EEB342664FFA633C3A6A) - cmd.exe (PID: 2436 cmdline:
cmd /c REG ADD "HKCU \SOFTWARE\ Microsoft\ Windows\Cu rrentVersi on\Run" /V "New PO 7 96512.pif. pif.pif" / t REG_SZ / F /D "C:\U sers\user\ Documents\ New PO 796 512.pif.pi f.pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7040 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 2312 cmdline:
REG ADD "H KCU\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run" /V "New P O 796512.p if.pif.pif " /t REG_S Z /F /D "C :\Users\us er\Documen ts\New PO 796512.pif .pif.pif.p if" MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 1368 cmdline:
cmd /c Cop y "C:\User s\user\Doc uments\New PO 796512 .pif.pif.p if" "C:\Us ers\user\D ocuments\N ew PO 7965 12.pif.pif .pif.pif" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7888 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - Conhost.exe (PID: 7484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Formbook, Formbo | FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware. |
{"C2 list": ["www.hronika.fun/o62s/"], "decoy": ["lectrobay.shop", "enisehirarnavutkoy.xyz", "itoolz.net", "otorcycle-loans-40378.bond", "opjobsinusa.today", "uara228j.shop", "ukulbagus10.click", "enhealth07.shop", "cpoker.pro", "ome-remodeling-16949.bond", "andu.shop", "hubbychicocharmqs.shop", "onghi292.top", "ussines-web-creators.net", "alenspencer.online", "ryptogigt.top", "epiyiisigorta.online", "ental-implants-77717.bond", "juta.click", "enisehirevleriarnavutkoy.xyz", "pertforces.store", "kdse.boutique", "uccessfulproduct.shop", "newrist.online", "2045.pictures", "epid.dev", "oxo.net", "utivme.info", "arehouse-inventory-65114.bond", "axiquynhongiare.asia", "etooclaim.store", "heterraceongregory.store", "orldwise-admission.online", "outenbox.shop", "kipoxz.xyz", "iperliteratura.online", "hoccyboxy.dev", "iicf72105.vip", "regnancy-10606.bond", "dambelardino.net", "oans-credits-55622.bond", "zprintbox.store", "3sejzs3.sbs", "fi-group.world", "iveworks.xyz", "gtg.store", "4mn.info", "aliente.kaufen", "ottostar.motorcycles", "oker99-ms.christmas", "p595.top", "artmartuqsa.shop", "infundcadastro.site", "merp.link", "irclemedia.shop", "ind.expert", "mitrywedkam.online", "opcharlottesydimby.shop", "mmamartin.info", "uikstudy.sbs", "estpro.group", "card.yachts", "mazoui.fun", "ooktonook.online"]}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| Windows_Trojan_Formbook_772cc62d | unknown | unknown |
| |
| JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
| Click to see the 64 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_FormBook | Yara detected FormBook | Joe Security | ||
| JoeSecurity_FormBook_1 | Yara detected FormBook | Joe Security | ||
| Windows_Trojan_Formbook_1112e116 | unknown | unknown |
| |
| Formbook_1 | autogenerated rule brought to you by yara-signator | Felix Bilstein - yara-signator at cocacoding dot com |
| |
| Formbook | detect Formbook in memory | JPCERT/CC Incident Response Group |
| |
| Click to see the 5 entries | ||||
System Summary |   |
|---|
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): | ||
| Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: | ||
| Source: | Author: Max Altgelt (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems): | ||
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection | |
|---|
| Source: | Malware Configuration Extractor: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | ReversingLabs: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | File source: | ||
| Source: | Integrated Neural Analysis Model: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Joe Sandbox ML: | ||
| Source: | Static PE information: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | Static PE information: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||
| Source: | Binary string: | ||