Loading... Additional Content is being loaded

Windows Analysis Report
CV_ Filipa Barbosa.exe

Overview

General Information

Sample name:	CV_ Filipa Barbosa.exe
Analysis ID:	1560964
MD5:	09be6e97e16e41bf402daed8815e211f
SHA1:	292862ebb991525b36b1d53f552203f643223017
SHA256:	eba45c69ff3acfbe273712b2a7e9b4d6c1c0b07e7b6dcaf31f4b28fcebeb9612
Infos:

Detection

FormBook

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: CV_ Filipa Barbosa.exe

ReversingLabs: Detection: 39%

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: CV_ Filipa Barbosa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: CV_ Filipa Barbosa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

File created: C:\Users\user\AppData\Local\Temp\aut571.tmp

Source: CV_ Filipa Barbosa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: CV_ Filipa Barbosa.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: ntmarta.dll

Source: CV_ Filipa Barbosa.exe

Static file information: File size 1213952 > 1048576

Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CV_ Filipa Barbosa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

API/Special instruction interceptor: Address: 12F8044

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\svchost.exe TID: 6764

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 27D8008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\deblateration	data	ACB78C6B34547DC1736FE01928EA82C3	260BADB5A5082DD741ADCE3C163B90604B19C21A	48A19EFEB08636D76C0256C1EB48E585707BE8024F65F21A064A208F07B789BE

AV Detection

Multi AV Scanner detection for submitted file

Source: CV_ Filipa Barbosa.exe

ReversingLabs: Detection: 39%

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: CV_ Filipa Barbosa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Uses 32bit PE files

Source: CV_ Filipa Barbosa.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

File created: C:\Users\user\AppData\Local\Temp\aut571.tmp

Source: CV_ Filipa Barbosa.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: CV_ Filipa Barbosa.exe

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wsock32.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe	Section loaded: ntmarta.dll

Source: CV_ Filipa Barbosa.exe

Static file information: File size 1213952 > 1048576

Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CV_ Filipa Barbosa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: CV_ Filipa Barbosa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CV_ Filipa Barbosa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

API/Special instruction interceptor: Address: 12F8044

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\svchost.exe TID: 6764

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 27D8008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\CV_ Filipa Barbosa.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\CV_ Filipa Barbosa.exe"

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.1452011802.0000000000401000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1452204848.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY