popup

Report - r.exe

Formbook PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.23 19:09 Machine s1_win7_x6403
Filename r.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
10
 Behavior Score
4.0
ZERO API file : clean
VT API (file) 42 detected (AIDetect, malware1, malicious, high confidence, Razy, FormBook, Save, confidence, 100%, Eldorado, Noon, ccmw, Generic@ML, RDML, xeCJFy2NbGuVE+e7Bw, A + Troj, Siggen9, VirRansom, XPACK, Gen2, score, R431880, GenericRXLS, ai score=81, BScope, TrojanPSW, Unsafe, Static AI, Malicious PE, susgen, GenKryptik, AYEB, ZexaF, keX@aWMnjMe)
md5 305c02b6842f5b81a6fa7a2aab07b00e
sha256 47fda47985cd25b0810445d6e35b3007d3e56c8015ce7d000f850ba1c333ffa7
ssdeep 3072:6icBig6z0HHDfM4ocAF4mf4gjDKOO9HQ13WOwz4z412s7lw:6iFKLNoco5ggjeOO9w13XLz412s7O
imphash
impfuzzy 3::
  Network IP location

Signature (7cnts)

Level Description
danger File has been identified by 42 AntiVirus engines on VirusTotal as malicious
warning Generates some ICMP traffic
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (3cnts)

Level Name Description Collection
danger Win_Trojan_Formbook_Zero Used Formbook binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (39cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.writingleagues.com/n58i/?-Zlpd6I=Z6pcotGHuwup7vEJjItj1SMHlg1lI5Bof4K5Wxog5cvylXCYemKJNG9ltyRUngPfK9sxmYhZ&2d=lnxdA
whois
VG CONFLUENCE-NETWORK-INC 204.11.56.48 clean
http://www.grandrapidsvirtualboatshow.com/n58i/?-Zlpd6I=OS+vzmTsnmN10NeNgCtuygPzY9t4uWhaxu5Nv18Vn7M4GGCiu5ByynyiNgJ6krK/bHgQrClL&2d=lnxdA
whois
US GOOGLE 34.102.136.180 clean
http://www.science-laboratory.info/n58i/?-Zlpd6I=/nrcVLyNbZ8bYrDk6/UlbutTqsEUanwD8p6K9ytcogSviWuK5Nx4baFKDnT+NePORnTimWea&2d=lnxdA
whois
US CONFLUENCE-NETWORK-INC 209.99.40.222 clean
http://www.exdysis.com/n58i/?-Zlpd6I=ar/hIjdwXaCGf/zdCDkC4zsWp5P7JdaYWCx8Owc4v4wJnpGf9FeXfuCAHZspk67PmQf770IM&2d=lnxdA
whois
US GOOGLE 34.98.99.30 clean
http://www.mack3sleeve.com/n58i/?-Zlpd6I=qZci4eCxhQIq67bxmD8yxm5V81S+h6tSaZJP73tHPhAaZkJunDnOJhOERfLB6WVODJ1YcUPc&2d=lnxdA
whois
US GOOGLE 34.102.136.180 clean
http://www.fashionelixirs.com/n58i/?-Zlpd6I=2MarohCXJGtzO5KijtWpZ6tpmiifjax3IcswJvFbJYnD8s/zp8BDI56dCC/lebOR9voDqH90&2d=lnxdA
whois
US AS-26496-GO-DADDY-COM-LLC 184.168.131.241 clean
http://www.oldhousechicago.com/n58i/?-Zlpd6I=CK4+1XAVCoeZwyHbixU/1VMC/3ullPTgwlkVzkJuJ8wPuPx8xeqByV5EBcZtpXh2eT3NYNjS&2d=lnxdA
whois
US DEDIPATH-LLC 45.83.86.245 clean
http://www.stlcityc.com/n58i/?-Zlpd6I=uzwaBAU/pBgcbN1zupTtS4xKhn/JfyJ+hchnD3b71uo3p2+6HxfOIRQU6DCQj21baC8sD6fO&2d=lnxdA
whois
CN West263 International Limited 103.139.0.32 clean
http://www.5923599.com/n58i/?-Zlpd6I=WfKFfWUZkc85OmL1xKrDJMWuh4MURh0lzQfSoppYt54ugY1RFf52IxAuWjoc55Oi676SGeLg&2d=lnxdA
whois
US CNSERVERS 45.142.156.44 clean
http://www.nl-cafe.com/n58i/?-Zlpd6I=dWyvCTk6qzBk5tQTWdvNT7b5/8qdhAsQ/biP+tl913DTpQRW05YYrZEgjkVCG8NuIqrlrrLw&2d=lnxdA
whois
US ICIDC NETWORK 23.226.52.164 clean
http://www.verisignwebsite-verified.com/n58i/?-Zlpd6I=XTVW7Jo2gvRqiEaI/sIMQWbMhFkMtGnqkQB68uCXOe+MAHXwIzjfWh0i/TEE6wJi9coosj2z&2d=lnxdA
whois
US Simple Carrier LLC 185.196.8.122 clean
http://www.floortak.co.uk/n58i/?-Zlpd6I=pQmM9Y5t5dxvkFXQKfmWGEE0N5/IJF3moBqOslL4HJEdPUTnkZQuk/UltHUu3hWKDkbYR94e&2d=lnxdA
whois
GB Namesco Limited 85.233.160.22 clean
http://www.citysucces.com/n58i/?-Zlpd6I=KZIzYVxAQpcTYtobWmj1UPG5K5R9NnHuf0RrbShrXmsvVrVhxvmYdjAsOWtc/dkVV+rflXZO&2d=lnxdA
whois
US AS-26496-GO-DADDY-COM-LLC 184.168.131.241 clean
www.stlcityc.com
whois
CN West263 International Limited 103.139.0.32 clean
www.mack3sleeve.com
whois
US GOOGLE 34.102.136.180 clean
www.writingleagues.com
whois
VG CONFLUENCE-NETWORK-INC 204.11.56.48 clean
www.science-laboratory.info
whois
US CONFLUENCE-NETWORK-INC 209.99.40.222 clean
www.nl-cafe.com
whois
US ICIDC NETWORK 23.226.52.164 clean
www.grandrapidsvirtualboatshow.com
whois
US GOOGLE 34.102.136.180 clean
www.fashionelixirs.com
whois
US AS-26496-GO-DADDY-COM-LLC 184.168.131.241 clean
www.goddessruby.com
whois
Unknown clean
www.oldhousechicago.com
whois
US DEDIPATH-LLC 45.83.86.245 clean
www.rlxagva.com
whois
Unknown clean
www.5923599.com
whois
US CNSERVERS 45.142.156.44 clean
www.citysucces.com
whois
US AS-26496-GO-DADDY-COM-LLC 184.168.131.241 clean
www.verisignwebsite-verified.com
whois
US Simple Carrier LLC 185.196.8.122 clean
www.exdysis.com
whois
US GOOGLE 34.98.99.30 clean
www.floortak.co.uk
whois
GB Namesco Limited 85.233.160.22 clean
103.139.0.32
whois
CN West263 International Limited 103.139.0.32 mailcious
185.196.8.122
whois
US Simple Carrier LLC 185.196.8.122 phishing
184.168.131.241
whois
US AS-26496-GO-DADDY-COM-LLC 184.168.131.241 mailcious
23.226.52.164
whois
US ICIDC NETWORK 23.226.52.164 clean
209.99.40.222
whois
US CONFLUENCE-NETWORK-INC 209.99.40.222 mailcious
34.102.136.180
whois
US GOOGLE 34.102.136.180 mailcious
45.142.156.44
whois
US CNSERVERS 45.142.156.44 mailcious
85.233.160.22
whois
GB Namesco Limited 85.233.160.22 mailcious
45.83.86.245
whois
US DEDIPATH-LLC 45.83.86.245 clean
204.11.56.48
whois
VG CONFLUENCE-NETWORK-INC 204.11.56.48 phishing
34.98.99.30
whois
US GOOGLE 34.98.99.30 phishing

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure