{"id":1254,"date":"2024-09-22T10:07:59","date_gmt":"2024-09-22T10:07:59","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1254"},"modified":"2025-07-29T07:42:12","modified_gmt":"2025-07-29T07:42:12","slug":"analysis-of-malware-sample-proforma-invoice-2","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-malware-sample-proforma-invoice-2\/","title":{"rendered":"Analysis of Malware Sample \u2013 Proforma Invoice"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Version:1.0 StartHTML:000000270 EndHTML:000015702 StartFragment:000007053 EndFragment:000015634 StartSelection:000007053 EndSelection:000015630 SourceURL:https:\/\/www.lmntrix.com\/Lab\/Lab_info.php?id=9&url=Analysis%20of%20Malware%20Sample%20-%20Proforma%20Invoice LMNTRIX Labs LMNTRIX Labs<\/p>\n\n\n\n

Summary<\/strong>

This malware sample was found in a recent spear phishing attack on one of our client networks. The sample in question is a .net file and comes with the name \u2018Proforma Invoice\u2019. We are sharing it for the benefit of the community. <\/p>\n\n\n\n

File details <\/strong>

MD5    3ed79c9a988e427db39aa62e625a2116

SHA-1    85b0198ba27fa5b8e1d3625dbcd45776d64cd741

SHA-256    de30a5cc95453a372b717a632fc6c9ec0b101c2afa9ba5e472e95025fd227ddd

Size    929.5 KB (951808 bytes) 

Type    Win32 EXE

Magic    PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono\/.Net assembly

Detection ratio    37 \/ 57 

First submission    2016-09-23 07:41:57 UTC ( 5 months, 1 week ago )<\/p>\n\n\n\n

This malware is already present in Virus Total, having been initially submitted in September 2016.<\/p>\n\n\n\n

Characteristics and Behavior

\u2022    <\/strong>Sends PC main information to external server

\u2022    Injects code into other processes

\u2022    Common autorun registry key

\u2022    Access browser sensitive data: Mozilla SeaMonkey

\u2022    Access Mozilla Firefox security module

\u2022    Contains cryptographic functionality

\u2022    Access Opera passwords

\u2022    Steals Internet Explorer passwords

\u2022    Loads PE into other process memory

\u2022    Runs dropped executable

\u2022    Access Mozilla Firefox history

\u2022    Contains HTML page

\u2022    Access Mozilla Firefox passwords

\u2022    Access email client software sensitive data: Thunderbird

\u2022    Access email client software sensitive data: Windows Livemail

\u2022    Access email client software sensitive data: Outlook

\u2022    Access email client software sensitive data: IncrediMail

\u2022    Access email client software sensitive data: Eudora

\u2022    Access email client software sensitive data: Group Mail

\u2022    Access Mozilla Firefox certificates

\u2022    Access FTP software sensitive data: Filezilla

\u2022    Access instant messaging software sensitive data: Google Talk

\u2022    Access Mozilla Firefox file that stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history

\u2022    Access instant messaging software sensitive data: Paltalk

\u2022    Access instant messaging software sensitive data: Yahoo Pager

\u2022    Runs existing executable

\u2022    Suspicious delay

\u2022    Check user main folders path

\u2022    Drops .EXE file

\u2022    Access Windows sensitive data: Windows Profiles information

\u2022    EntryPoint points inside a writable section

\u2022    Gathers system main data (MachineGuid, ComputerName, SystemBiosVersion …)

\u2022    Loads PE into its own memory<\/p>\n\n\n\n

Process, Registry, Network Activities<\/strong>

%appdata%\\sapp.exe

This created sample is a duplicate of an original file \u2013 it also created an autostart entry for this file to keep persistence. 

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run “Application”

        Type: REG_SZ

        Data: C:\\Documents and Settings\\user\\Application Data\\sapp.exe

We noticed that sample creates a new process called Regasm.exe, which is part of the .net framework in Windows. Strings within regasm.exe confirmed that this malware collects passwords by logging keystrokes. <\/p>\n\n\n\n

Very Important Strings<\/strong>

Important.exe

hxxp:\/\/www(.)twentysixjune(.)biz\/jonoTwo-4sept-14oct\/

Window title: 

End:] 

Machine Time: 

Keystrokes typed: 

Keystrokes

[Back]

Notification

Time: 

Text: 

$C$l$i$p$b$oa$rd$

SupremeQuality

MediumQuality

LowQuality

#image#\/#upload#.#php#

.jpg

ylbmessAgnitucexEteG

Key

$pos$t$.$ph$p$?$ty$p$e$=$k$eys$tro$ke$s$&$mac$hi$ne$na$me$=$

&windowtitle=

&keystrokestyped=

=emitenihcam&

sdrowssaP

#po#st.#ph#p?#typ#e=p#assw#ords#&mach#inen#ame=#

&application=

&link=

&username=

=drowssap&

draobpilC

$po$st$.$ph$p$?$ty$pe$=$cl$ip$boa$rd&$mac$hine$nam$e=$

&clipboardtext=

Screenshot

$pos$t.$p$hp$?$typ$e=$not$ific$a$tion$&$mac$h$in$e$n$a$m$e$=$

Software\\Paltalk

InstallerAppDir

Win32_LogicalDisk.DeviceID=”

VolumeSerialNumber

Software\\Paltalk\\

nickname

pwd

Passwords

Paltalk

Program: FileZilla 

FileZilla\\recentservers.xml

FileZilla\\sitemanager.xml







$<$H$os$t$>$

$<$\/H$o$s$t$>$



$$

$<$\/$P$a$ss$>$

Filezilla



Programfiles(x86)

programfiles

$\\jDow$nloader\\$config\\dat$abase.scr$ipt

programfiles(x86)

$\\jD$ownloader\\con$fig\\databa$se.sc$ript

#INS#ERT INT#O CON#FIG VA#LUE#S(‘A#ccoun#tContr#oller#’,’

JDownloader

Software\\DownloadManager\\Passwords\\

Program: Internet Download Manager >6 

User

EncPassword

IDM

Advapi32

RegOpenKeyEx

RegCloseKey

RegQueryValueEx

Software\\IMVU\\username

Software\\IMVU\\password

Imvu

Chrome

Firefox

Internet Explorer

Opera

Safari

URL

User Name         : 

Password          : 

URL               : 

Web Browser       : 

Browsers.txt

Password

\/stext 

RecoverBrowsers

Outlook

_Thunder_bird

Eudora

Incredimail

Netscape

\\Mails.txt

RecoverMail

Application

Email             : 

Server            : 

Application       : 

kernel32

KeyBase

ntdll

LoadLibraryA

.dll

user32

$Set$Window$sHook$Ex$A$<\/p>\n\n\n\n

These strings show that this file is a password stealer. It collects keystrokes and copies clipboard images then uploads them to hxxp:\/\/www.twentysixjune.biz\/jonoTwo-4sept-14oct\/image\/upload.php<\/p>\n\n\n\n

It also collects information from the following:

Software\\Paltalk\\

nickname

pwd

Program: FileZilla 

FileZilla\\recentservers.xml

$\\jDow$nloader\\$config\\dat$abase.scr$ipt

JDownloader

IDM

Software\\IMVU\\username

Software\\IMVU\\password

Imvu

Chrome

Firefox

Internet Explorer

Opera

Safari

URL

User Name         : 

Password          : 

URL               : 

Web Browser       : 

Browsers.txt

Password

\/stext 

RecoverBrowsers

Outlook

_Thunder_bird

Eudora

Incredimail

Netscape

\\Mails.txt

RecoverMail

Application

Email      <\/p>\n\n\n\n

Malicious Url<\/strong>

hxxp:\/\/twentysixjune(.)biz

Ip address is:  80(.)82(.)78(.)57 : 80

This is the malicious url we found within the strings, even Virus Total flagged this url as malicious by six vendors.

https:\/\/virustotal.com\/en\/url\/03f84b1e66f394d4d506d16c44434136496399f7ed3cfeccb69c9725951d5ea2\/analysis\/1488780554\/ 

AegisLab WebGuard    Malicious site

Sophos    Malicious site

Trustwave    Malicious site

BitDefender    Malware site

Fortinet    Malware site

G-Data    Malware site<\/p>\n\n\n\n

Code Injection<\/strong><\/p>\n\n\n\n

Process                                                                                            Code size Virtual Address <\/strong>

C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe    516096      400000

C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe    364544      400000<\/p>\n\n\n\n

Conclusion<\/strong>

We recommend blocking the malicious url and searching for the executable (sapp.exe) in the application data location then removing the sapp.exe.

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Version:1.0 StartHTML:000000270 EndHTML:000015702 StartFragment:000007053 EndFragment:000015634 StartSelection:000007053 EndSelection:000015630 SourceURL:https:\/\/www.lmntrix.com\/Lab\/Lab_info.php?id=9&url=Analysis%20of%20Malware%20Sample%20-%20Proforma%20Invoice LMNTRIX Labs LMNTRIX Labs Summary This malware sample was found in a recent spear phishing attack on one of our client networks. The sample in question is a .net file and comes with the name ‘Proforma Invoice’. We are sharing it for the benefit of the community.  […]<\/p>\n","protected":false},"author":1,"featured_media":1076,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1254","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1254"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1254\/revisions"}],"predecessor-version":[{"id":4117,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1254\/revisions\/4117"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1076"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}