Report - justin.exe

Formbook PE File PE32

ScreenShot

Info
Location map


Created	2021.08.21 09:15	Machine	s1_win7_x6402
Filename	justin.exe
Type	PE32 executable (GUI) Intel 80386, for MS Windows
AI Score	9	Behavior Score	3.2
ZERO API	file : malware
VT API (file)	49 detected (AIDetect, malware1, Noon, malicious, high confidence, Razy, Unsafe, Formbook, confidence, 100%, Eldorado, ccmw, Wrhe, A + Troj, Siggen9, VirRansom, ZPACK, kcloud, score, GenericRXCD, ai score=84, BScope, TrojanPSW, CLASSIC, Static AI, Malicious PE, susgen)
md5	6d7edf1f66a4d43e76d1e47f400f97d0
sha256	af0e9136ff8915ef261cd9068ddb08262cf0d034c52776854169f9f75ec13227
ssdeep	3072:KAkCv/Z8iADCn4YAkm5d8LFyLRG33MUI8k6iQxnsfFKt6n4Hx:7kFiuYJm5mLkL43lf00nnK4x
imphash
impfuzzy	3::

Network IP location

Signature (6cnts)

Level	Description
danger	File has been identified by 49 AntiVirus engines on VirusTotal as malicious
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	Performs some HTTP requests
notice	The binary likely contains encrypted or compressed data indicative of a packer

Rules (3cnts)

Level	Name	Description	Collection
danger	Win_Trojan_Formbook_Zero	Used Formbook	binaries (upload)
info	IsPE32	(no description)	binaries (upload)
info	PE_Header_Zero	PE File Signature	binaries (upload)

Network (11cnts) ?

Request	CC	ASN Co	IP4	Rule ?	ZERO ?
http://www.ujenzihypermarket.com/glgd/?alF=KhhcN9s7gbbF0deJVEzP4Fr+CUF5+jhuG5G/YStQzUimyA5hxfgIe5MXcBKjjQi+4esf+xkO&Qzr=LlvxwrIp0zSd whois		Wildcard UK Limited	82.163.176.101		clean
http://www.sunflowerhybrid.com/glgd/?alF=hT+HcWgz9FEH+jyDEtB4UKrfm+OZpFXj/c8x97815zMY4Nb3Km6/aedgRXGlirVN41Axg2GW&Qzr=LlvxwrIp0zSd whois		GOOGLE	34.98.99.30		clean
http://www.danielsdonuteria.com/glgd/?alF=IpIqRkOeyywi3K8x4XdnqdH9Qx+aXhYHwHTGsqzrpTB78CdxIABDUEXezTmookMwz0BXydeD&Qzr=LlvxwrIp0zSd whois		CONFLUENCE-NETWORK-INC	209.99.40.222	4043	mailcious
www.sunflowerhybrid.com whois		GOOGLE	34.98.99.30		clean
www.bleacheater.com whois					clean
www.ujenzihypermarket.com whois		Wildcard UK Limited	82.163.176.101		clean
www.zxyoo.com whois					clean
www.danielsdonuteria.com whois		CONFLUENCE-NETWORK-INC	209.99.40.222		clean
82.163.176.101 whois		Wildcard UK Limited	82.163.176.101		malware
209.99.40.222 whois		CONFLUENCE-NETWORK-INC	209.99.40.222		mailcious
34.98.99.30 whois		GOOGLE	34.98.99.30		phishing

Suricata ids

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none

Similarity measure (PE file only) - Checking for service failure