popup

Report - bin.exe

Formbook PE File PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.28 16:10 Machine s1_win7_x6402
Filename bin.exe
Type PE32 executable (GUI) Intel 80386, for MS Windows
AI Score
9
 Behavior Score
3.2
ZERO API file : malware
VT API (file) 41 detected (AIDetect, malware1, malicious, high confidence, Razy, Unsafe, Save, confidence, 100%, Formbook, Eldorado, ccmw, Siggen9, A + Troj, Static AI, Malicious PE, ZPACK, score, GenericRXCD, ai score=88, BScope, TrojanPSW, CLASSIC)
md5 9f66d58c838608fdd0be51b576e7185d
sha256 c63cb761da677849b8382eb1d926569f00a04d57f2c789b63e7f2eb2e368a00c
ssdeep 3072:bBQxEozP3I7juU3cR6Sb26PK4UBepZLK/1Odv0F20p5qt1nfjboH1A:wzH6cYw2iKnBe/LK/1O9w5qLfn2
imphash
impfuzzy 3::
  Network IP location

Signature (6cnts)

Level Description
danger File has been identified by 41 AntiVirus engines on VirusTotal as malicious
notice Allocates read-write-execute memory (usually to unpack itself)
notice Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice Performs some HTTP requests
notice The binary likely contains encrypted or compressed data indicative of a packer

Rules (3cnts)

Level Name Description Collection
danger Win_Trojan_Formbook_Zero Used Formbook binaries (upload)
info IsPE32 (no description) binaries (upload)
info PE_Header_Zero PE File Signature binaries (upload)

Network (15cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
http://www.swoern.info/hp6s/?uTuD=4T5YGQUYHOUszNOY444hn7mmf6FrtM+AFTjOJC+Py6Ag/b5xU53y9DZCTZxlx39fr7jwKFEI&Kj6dY=ATxxQ4G
whois
JP GMO Internet,Inc 150.95.255.38 clean
http://www.rlgbsuilds.com/hp6s/?uTuD=Fw5YSRn6B6q7Vo6CTsfssUahdbXa4r2ZD7nmGGCHLkY8GDkOmUQxWePCsmLEOuwwrsL9h5YF&Kj6dY=ATxxQ4G
whois
US EGIHOSTING 166.88.19.181 clean
http://www.usedtowels.com/hp6s/?uTuD=LFde+ie6fWvOLN7PGF70NwTYUX7Jm/JyGjPm4XWrD0fHhgM6rcivN6x0AQjvoX504Y/z8KH4&Kj6dY=ATxxQ4G
whois
GB NATCOWEB 88.214.207.96 clean
http://www.digitalimmersioncg.com/hp6s/?uTuD=ecMUAiyMfvfWY8rzTadGuccx8GuXMB82GuQzWJgBWyxQ3c9DaRyVLVaaQhcCvX5nneSnIplK&Kj6dY=ATxxQ4G
whois
US CENTURYLINK-LEGACY-SAVVIS 192.252.151.20 clean
http://www.nsbeneae.com/hp6s/?uTuD=SHpD87a5Dg8Vmq/a7y609SjdXnsgQw3juNG92/8unMmD+3syTbnlJP5vOUTgSZV81y/Tfjod&Kj6dY=ATxxQ4G
whois
US DEFENSE-NET 209.17.116.163 clean
www.swoern.info
whois
JP GMO Internet,Inc 150.95.255.38 clean
www.usedtowels.com
whois
GB NATCOWEB 88.214.207.96 clean
www.nsbeneae.com
whois
US DEFENSE-NET 209.17.116.163 clean
www.digitalimmersioncg.com
whois
US CENTURYLINK-LEGACY-SAVVIS 192.252.151.20 clean
www.rlgbsuilds.com
whois
US EGIHOSTING 166.88.19.181 clean
209.17.116.163
whois
US DEFENSE-NET 209.17.116.163 mailcious
166.88.19.181
whois
US EGIHOSTING 166.88.19.181 clean
150.95.255.38
whois
JP GMO Internet,Inc 150.95.255.38 mailcious
192.252.151.20
whois
US CENTURYLINK-LEGACY-SAVVIS 192.252.151.20 clean
88.214.207.96
whois
GB NATCOWEB 88.214.207.96 mailcious

Suricata ids

ET MALWARE FormBook CnC Checkin (GET)

PE API

IAT(Import Address Table) is none

EAT(Export Address Table) is none


Similarity measure (PE file only) - Checking for service failure