popup

Report - dow-0.exe

Formbook PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.17 09:59 Machine s1_win7_x6402
Filename dow-0.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
5.0
ZERO API file : malware
VT API (file) 43 detected (AIDetect, malware1, malicious, high confidence, Siggen9, Razy, GenericRXLS, Unsafe, Save, confidence, 100%, Formbook, Eldorado, Convagent, ccmw, A + Troj, ZPACK, score, R369478, BScope, TrojanPSW, ai score=82, Generic@ML, RDML, 1owSDJhIdG8QlPsJQPfmIA, Static AI, Malicious PE, susgen, GenKryptik, AYEB, QVM20)
md5 53d55c75030ff7d58afd45080fa00dd2
sha256 0a27390d4913479f0929cd8ae68ca7f1e7f5c48139e3552677cc19a27d42a935
ssdeep 3072:yyBcst6tZJAxgC2oWNd336/Ktt0OWNXRJfUqZhEktnS1AVL+Q:yJrjloWfnMKtCOWNXRq8znSm8Q
imphash
impfuzzy 3::
  Network IP location

Signature (10cnts)

Level Description
danger File has been identified by 43 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice A process created a hidden window
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice Drops an executable to the user AppData folder
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer
notice Uses Windows utilities for basic Windows functionality

Rules (6cnts)

Level Name Description Collection
danger Win_Trojan_Formbook_Zero Used Formbook binaries (download)
danger Win_Trojan_Formbook_Zero Used Formbook binaries (upload)
info IsPE32 (no description) binaries (download)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (download)
info PE_Header_Zero PE File Signature binaries (upload)

Network (35cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.zwq.xyz/wufn/?kDHl=XjXBhjUVI334M/Uwl7gvZZ0GeOD10IACqOCIbULeYHXWrIpOZW21ZlaOwQdpB6LWbxxYrGle&KtxD=PnCTGx9Pf
whois
CN West263 International Limited 103.139.0.32 3226 mailcious
http://www.gaigoilaocai.com/wufn/?kDHl=+cvcaH9t4IGOvfSH2s/pGQCzCoMlKLNX9S4pg+CdqO+ehvTRSw4m6C0WiIEOYf+cYXNRRXby&KtxD=PnCTGx9Pf
whois
US CLOUDFLARENET 172.67.187.204 2912 mailcious
http://www.iqpt.info/wufn/?kDHl=hrdaP+EsGTITsCagZnHefT6Bmc518UuvQeiOjF2tcIDpZFKKlutoy9+nHdETp4OhFNJGJnoo&KtxD=PnCTGx9Pf
whois
US GOOGLE-PRIVATE-CLOUD 67.199.248.13 2910 mailcious
http://www.solanohomebuyerclass.com/wufn/?kDHl=+zzRrn2LuczUop/Cd/o3ZSAnv7QTnqViuhwHS4/CIqz6rF5318dL6hgqnxmK9Gf+t0N7z3vJ&KtxD=PnCTGx9Pf
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
http://www.mimortgageexpert.com/wufn/?kDHl=dH6MS4iXfwK5vVCsjjY0pJ1yp3fpUyK5ZhheQrTomEU+/cdclqzrfoafLlR5qbdrvg8w2+Rd&KtxD=PnCTGx9Pf
whois
US AMAZON-AES 100.24.208.97 2911 mailcious
http://www.recipesdunnright.com/wufn/?kDHl=SehEse1yNcuBWox84Asm4eELW9pHyFfqJvW7VO2nDRTT0VQDXxZnF10XUkI9sb+IBYeHWwT5&KtxD=PnCTGx9Pf
whois
US CLOUDFLARENET 66.235.200.147 clean
http://www.talleresmulticar.com/wufn/?kDHl=Zc0zQFnrMcwVTscPp4D3wnK22drhHRSNJ7F8xfTSBTL6y4OaZRoxz+uo8RGanShoJ1lpBNes&KtxD=PnCTGx9Pf
whois
NL GOOGLE-2 35.214.181.99 clean
http://www.setadragon.com/wufn/?kDHl=p6EPLUx6SmQWyT0aKUYWey1/moK0HCihbvuUxAKosV5aIj7OYHg92cDuRvb6vmm9eY3daRqd&KtxD=PnCTGx9Pf
whois
US CONFLUENCE-NETWORK-INC 209.99.40.222 3486 mailcious
http://www.rootmoover.com/wufn/?kDHl=jUqWC+wM+s2Yehearj52syV+yALdMbb6PeN2CvBJSFCwW1HLktm3ATZosqzbiXJTH9I2JiE2&KtxD=PnCTGx9Pf
whois
CA CLOUDFLARENET 23.227.38.74 3570 mailcious
http://www.hk6628.com/wufn/?kDHl=Mbz3eb2htBuwJm9my9qYpH4UWvi7L1jn54VVewVZerqVccc7GhECZ0+c8NYoPjvN/okzts0t&KtxD=PnCTGx9Pf
whois
US GOOGLE 34.102.136.180 2909 mailcious
www.hsicclassactionsettlement.com
whois
Unknown mailcious
www.sctsmney.com
whois
Unknown mailcious
www.solanohomebuyerclass.com
whois
SG AS-26496-GO-DADDY-COM-LLC 182.50.132.242 clean
www.mimortgageexpert.com
whois
US AMAZON-AES 100.24.208.97 clean
www.hk6628.com
whois
US GOOGLE 34.102.136.180 clean
www.qq4004.com
whois
Unknown mailcious
www.recipesdunnright.com
whois
US CLOUDFLARENET 66.235.200.147 clean
www.iqpt.info
whois
US GOOGLE-PRIVATE-CLOUD 67.199.248.13 clean
www.organicdiscover.com
whois
Unknown clean
www.setadragon.com
whois
US CONFLUENCE-NETWORK-INC 209.99.40.222 clean
www.gaigoilaocai.com
whois
US CLOUDFLARENET 172.67.187.204 clean
www.kyg-cpa.com
whois
Unknown mailcious
www.rootmoover.com
whois
CA CLOUDFLARENET 23.227.38.74 clean
www.talleresmulticar.com
whois
NL GOOGLE-2 35.214.181.99 clean
www.zwq.xyz
whois
CN West263 International Limited 103.139.0.32 clean
103.139.0.32
whois
CN West263 International Limited 103.139.0.32 mailcious
66.235.200.147
whois
US CLOUDFLARENET 66.235.200.147 phishing
35.214.181.99
whois
NL GOOGLE-2 35.214.181.99 clean
209.99.40.222
whois
US CONFLUENCE-NETWORK-INC 209.99.40.222 mailcious
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
35.172.94.1
whois
US AMAZON-AES 35.172.94.1 phishing
198.71.232.3
whois
US AS-26496-GO-DADDY-COM-LLC 198.71.232.3 mailcious
172.67.187.204
whois
US CLOUDFLARENET 172.67.187.204 mailcious
23.227.38.74
whois
CA CLOUDFLARENET 23.227.38.74 mailcious
67.199.248.13
whois
US GOOGLE-PRIVATE-CLOUD 67.199.248.13 mailcious

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)
ET HUNTING Request to .XYZ Domain with Minimal Headers

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure