popup

Report - taroch.exe

Formbook PE32 PE File
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.07.29 10:11 Machine s1_win7_x6401
Filename taroch.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
5
 Behavior Score
7.8
ZERO API file : malware
VT API (file) 32 detected (AIDetect, malware2, malicious, high confidence, GenericKD, Artemis, Save, Eldorado, Attribute, HighConfidence, Kryptik, HLWA, Androm, Fareit, Auto, S + Troj, UMal, oeivm@0, ZexaF, zuZ@aepX59em, Outbreak, kcloud, score, PWSX, R434634, BScope, Generic@ML, RDMK, 4Bn7+sAsjbeNzOsSO0dvKQ, Static AI, Suspicious PE, susgen, Behavior, confidence)
md5 4bd029fab2e1855b65f19af615d5af49
sha256 19bb2b0774e1638edbdcccc7e2fb936773727966acd3977137a8acfe0823266d
ssdeep 6144:cIlhYdWi2kzeShnkmmx87BQwmeOA1PWLC/W4iGrWMwDfv:p0dWrCeSVkmmx8Ntm8oCPrCHDfv
imphash 941705bb9de69d9f126b6b02b46cea7a
impfuzzy 24:YG3bTdBhsJo55XJwE2zLECw3ESx/hhRxtES5ACw0WSLkmaBqQFdAJQ4hkES/EUnG:YGrT/OJo/SEoLECuXlvRXES5ACw0WSYg
  Network IP location

Signature (18cnts)

Level Description
danger File has been identified by 32 AntiVirus engines on VirusTotal as malicious
watch Harvests credentials from local email clients
watch Harvests credentials from local FTP client softwares
watch Harvests information related to installed instant messenger clients
watch Putty Files
watch Used NtSetContextThread to modify a thread in a remote process indicative of process injection
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Moves the original executable to a new location
notice Performs some HTTP requests
notice Sends data using the HTTP POST Method
notice Steals private information from local Internet browsers
info Checks amount of memory in system
info Collects information to fingerprint the system (MachineGuid
info Queries for the computername
info The executable uses a known packer
info Tries to locate where the browsers are installed

Rules (3cnts)

Level Name Description Collection
danger Win_Trojan_Formbook_Zero Used Formbook binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://arku.xyz/tkrr/T1/w2/fre.php
whois
US CLOUDFLARENET 104.21.30.161 clean
arku.xyz
whois
US CLOUDFLARENET 172.67.173.58 clean
104.21.30.161
whois
US CLOUDFLARENET 104.21.30.161 clean

Suricata ids

ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response

PE API

IAT(Import Address Table) Library

MSVCRT.dll
 0x40702c __setusermatherr
 0x407030 _adjust_fdiv
 0x407034 __p__commode
 0x407038 __p__fmode
 0x40703c _initterm
 0x407040 _except_handler3
 0x407044 __wgetmainargs
 0x407048 _controlfp
 0x40704c __dllonexit
 0x407050 _onexit
 0x407054 _wcmdln
 0x407058 exit
 0x40705c _XcptFilter
 0x407060 _exit
 0x407064 strncpy
 0x407068 atoi
 0x40706c isdigit
 0x407070 strncmp
 0x407074 __set_app_type
 0x407078 memset
 0x40707c _itoa
KERNEL32.dll
 0x407010 VirtualProtect
 0x407014 CreateThread
 0x407018 Sleep
 0x40701c TerminateThread
 0x407020 GetModuleHandleW
 0x407024 GetStartupInfoW
USER32.dll
 0x407084 EnableWindow
 0x407088 SetForegroundWindow
 0x40708c GetWindowRect
 0x407090 GetWindowTextA
 0x407094 MessageBoxA
 0x407098 CreateWindowExW
 0x40709c SendMessageW
 0x4070a0 SetActiveWindow
 0x4070a4 GetWindow
 0x4070a8 SendMessageA
 0x4070ac BeginPaint
 0x4070b0 EndPaint
 0x4070b4 SetWindowTextA
 0x4070b8 FillRect
 0x4070bc RegisterClassW
 0x4070c0 LoadIconW
 0x4070c4 SetMenu
 0x4070c8 CreateMenu
 0x4070cc AppendMenuW
 0x4070d0 GetMessageW
 0x4070d4 TranslateMessage
 0x4070d8 DispatchMessageW
 0x4070dc GrayStringA
 0x4070e0 GetDC
 0x4070e4 UpdateWindow
 0x4070e8 GetWindowTextLengthA
 0x4070ec DestroyWindow
 0x4070f0 CreateWindowExA
 0x4070f4 PostQuitMessage
 0x4070f8 DefWindowProcW
 0x4070fc MessageBoxW
GDI32.dll
 0x407000 GetStockObject
 0x407004 SetBkMode
 0x407008 SetDCPenColor
WS2_32.dll
 0x407104 closesocket
 0x407108 connect
 0x40710c htons
 0x407110 recv
 0x407114 send
 0x407118 socket
 0x40711c gethostbyname
 0x407120 WSAStartup
 0x407124 WSACleanup
 0x407128 select

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure