{"id":988,"date":"2024-08-27T16:22:32","date_gmt":"2024-08-27T16:22:32","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=988"},"modified":"2025-07-28T09:31:40","modified_gmt":"2025-07-28T09:31:40","slug":"analysis-of-malware-sample-proforma-invoice","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/analysis-of-malware-sample-proforma-invoice\/","title":{"rendered":"Analysis of Malware Sample – Proforma Invoice"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Version:1.0 StartHTML:000000270 EndHTML:000015702 StartFragment:000007053 EndFragment:000015634 StartSelection:000007053 EndSelection:000015630 SourceURL:https:\/\/www.lmntrix.com\/Lab\/Lab_info.php?id=9&url=Analysis%20of%20Malware%20Sample%20-%20Proforma%20Invoice LMNTRIX Labs LMNTRIX Labs<\/p>\n\n\n\n

Summary<\/h3>\n\n\n\n

This malware sample masquerading as a Proforma Invoice was identified through a recent spear phishing attack on one of our client networks. The sample in question is a .NET file and comes with the name \u2018Proforma Invoice\u2019. We are sharing it for the benefit of the community.<\/p>\n\n\n\n

File Details<\/h3>\n\n\n\n

MD5 3ed79c9a988e427db39aa62e625a2116<\/p>\n\n\n\n

SHA-1 85b0198ba27fa5b8e1d3625dbcd45776d64cd741<\/p>\n\n\n\n

SHA-256 de30a5cc95453a372b717a632fc6c9ec0b101c2afa9ba5e472e95025fd227ddd<\/p>\n\n\n\n

Size 929.5 KB (951808 bytes)<\/p>\n\n\n\n

Type Win32 EXE<\/p>\n\n\n\n

Magic PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono\/.Net assembly<\/p>\n\n\n\n

Detection ratio 37 \/ 57<\/p>\n\n\n\n

First submission 2016-09-23 07:41:57 UTC ( 5 months, 1 week ago )
This malware is already present in Virus Total, having been initially submitted in September 2016.<\/p>\n\n\n\n

Characteristics and Behavior<\/h3>\n\n\n\n
    \n
  • Sends PC main information to external server<\/li>\n\n\n\n
  • Injects code into other processes<\/li>\n\n\n\n
  • Common autorun registry key<\/li>\n\n\n\n
  • Access browser sensitive data: Mozilla SeaMonkey<\/li>\n\n\n\n
  • Access Mozilla Firefox security module<\/li>\n\n\n\n
  • Contains cryptographic functionality<\/li>\n\n\n\n
  • Access Opera passwords<\/li>\n\n\n\n
  • Steals Internet Explorer passwords<\/li>\n\n\n\n
  • Loads PE into other process memory<\/li>\n\n\n\n
  • Runs dropped executable<\/li>\n\n\n\n
  • Access Mozilla Firefox history<\/li>\n\n\n\n
  • Contains HTML page<\/li>\n\n\n\n
  • Access Mozilla Firefox passwords<\/li>\n\n\n\n
  • Access email client software sensitive data: Thunderbird<\/li>\n\n\n\n
  • Access email client software sensitive data: Windows Livemail<\/li>\n\n\n\n
  • Access email client software sensitive data: Outlook<\/li>\n\n\n\n
  • Access email client software sensitive data: IncrediMail<\/li>\n\n\n\n
  • Access email client software sensitive data: Eudora<\/li>\n\n\n\n
  • Access email client software sensitive data: Group Mail<\/li>\n\n\n\n
  • Access Mozilla Firefox certificates<\/li>\n\n\n\n
  • Access FTP software sensitive data: Filezilla<\/li>\n\n\n\n
  • Access instant messaging software sensitive data: Google Talk<\/li>\n\n\n\n
  • Access Mozilla Firefox file that stores the annotations, bookmarks, favorite icons, input history, keywords, and browsing history<\/li>\n\n\n\n
  • Access instant messaging software sensitive data: Paltalk<\/li>\n\n\n\n
  • Access instant messaging software sensitive data: Yahoo Pager<\/li>\n\n\n\n
  • Runs existing executable<\/li>\n\n\n\n
  • Suspicious delay<\/li>\n\n\n\n
  • Check user main folders path<\/li>\n\n\n\n
  • Drops .EXE file<\/li>\n\n\n\n
  • Access Windows sensitive data: Windows Profiles information<\/li>\n\n\n\n
  • EntryPoint points inside a writable section<\/li>\n\n\n\n
  • Gathers system main data (MachineGUID, ComputerName, SystemBiosVersion \u2026)<\/li>\n\n\n\n
  • Loads PE into its own memory<\/li>\n<\/ul>\n\n\n\n

    Process, Registry, Network Activities<\/h3>\n\n\n\n

    %appdata%\\sapp.exe<\/p>\n\n\n\n

    This created sample is a duplicate of an original file \u2013 it also created an autostart entry for this file to keep persistence.<\/p>\n\n\n\n

    HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run “Application”<\/p>\n\n\n\n

        Type: REG_SZ\n\n    Data: C:\\Documents and Settings\\user\\Application Data\\sapp.exe<\/code><\/pre>\n\n\n\n
    We noticed that sample creates a new process called Regasm.exe, which is part of the .net framework in Windows. Strings within regasm.exe confirmed that this malware collects passwords by logging keystrokes.<\/p>\n\n\n\n
    Very Important Strings<\/h3>\n\n\n\n
    Important.exe<\/p>\n\n\n\n
    hxxp:\/\/www(.)twentysixjune(.)biz\/jonoTwo-4sept-14oct\/<\/p>\n\n\n\n
    Window title:<\/p>\n\n\n\n
    End:]\n\n\n\n
    Machine Time:<\/p>\n\n\n\n
    Keystrokes typed:<\/p>\n\n\n\n
    Keystrokes<\/p>\n\n\n\n[Back]\n\n\n\n
    Notification<\/p>\n\n\n\n
    Time:<\/p>\n\n\n\n
    Text:<\/p>\n\n\n\n
    $C$l$i$p$b$oa$rd$<\/p>\n\n\n\n
    SupremeQuality<\/p>\n\n\n\n
    MediumQuality<\/p>\n\n\n\n
    LowQuality<\/p>\n\n\n\n
    image#\/#upload#.#php<\/p>\n\n\n\n
    .jpg<\/p>\n\n\n\n
    ylbmessAgnitucexEteG<\/p>\n\n\n\n
    Key<\/p>\n\n\n\n
    $pos$t$.$ph$p$?$ty$p$e$=$k$eys$tro$ke$s$&$mac$hi$ne$na$me$=$<\/p>\n\n\n\n
    &windowtitle=<\/p>\n\n\n\n
    &keystrokestyped=<\/p>\n\n\n\n
    =emitenihcam&<\/p>\n\n\n\n
    sdrowssaP<\/p>\n\n\n\n
    po#st.#ph#p?#typ#e=p#assw#ords#&mach#inen#ame=<\/p>\n\n\n\n
    &application=<\/p>\n\n\n\n
    &link=<\/p>\n\n\n\n
    &username=<\/p>\n\n\n\n
    =drowssap&<\/p>\n\n\n\n
    draobpilC<\/p>\n\n\n\n
    $po$st$.$ph$p$?$ty$pe$=$cl$ip$boa$rd&$mac$hine$nam$e=$<\/p>\n\n\n\n
    &clipboardtext=<\/p>\n\n\n\n
    Screenshot<\/p>\n\n\n\n
    $pos$t.$p$hp$?$typ$e=$not$ific$a$tion$&$mac$h$in$e$n$a$m$e$=$<\/p>\n\n\n\n
    Software\\Paltalk<\/p>\n\n\n\n
    InstallerAppDir<\/p>\n\n\n\n
    Win32_LogicalDisk.DeviceID=”<\/p>\n\n\n\n
    VolumeSerialNumber<\/p>\n\n\n\n
    Software\\Paltalk\\<\/p>\n\n\n\n
    nickname<\/p>\n\n\n\n
    pwd<\/p>\n\n\n\n
    Passwords<\/p>\n\n\n\n
    Paltalk<\/p>\n\n\n\n
    Program: FileZilla<\/p>\n\n\n\n
    FileZilla\\recentservers.xml<\/p>\n\n\n\n
    FileZilla\\sitemanager.xml<\/p>\n\n\n\n
    $<$H$os$t$>$<\/p>\n\n\n\n
    $<$\/H$o$s$t$>$<\/p>\n\n\n\n
    $$<\/p>\n\n\n\n
    $<$\/$P$a$ss$>$<\/p>\n\n\n\n
    Filezilla<\/p>\n\n\n\n
    Programfiles(x86)<\/p>\n\n\n\n
    programfiles<\/p>\n\n\n\n
    $\\jDow$nloader\\$config\\dat$abase.scr$ipt<\/p>\n\n\n\n
    programfiles(x86)<\/p>\n\n\n\n
    $\\jD$ownloader\\con$fig\\databa$se.sc$ript<\/p>\n\n\n\n
    INS#ERT INT#O CON#FIG VA#LUE#S(‘A#ccoun#tContr#oller#’,’<\/p>\n\n\n\n
    JDownloader<\/p>\n\n\n\n
    Software\\DownloadManager\\Passwords\\<\/p>\n\n\n\n
    Program: Internet Download Manager >6<\/p>\n\n\n\n
    User<\/p>\n\n\n\n
    EncPassword<\/p>\n\n\n\n
    IDM<\/p>\n\n\n\n
    Advapi32<\/p>\n\n\n\n
    RegOpenKeyEx<\/p>\n\n\n\n
    RegCloseKey<\/p>\n\n\n\n
    RegQueryValueEx<\/p>\n\n\n\n
    Software\\IMVU\\username<\/p>\n\n\n\n
    Software\\IMVU\\password<\/p>\n\n\n\n
    Imvu<\/p>\n\n\n\n
    Chrome<\/p>\n\n\n\n
    Firefox<\/p>\n\n\n\n
    Internet Explorer<\/p>\n\n\n\n
    Opera<\/p>\n\n\n\n
    Safari<\/p>\n\n\n\n
    URL<\/p>\n\n\n\n
    User Name :<\/p>\n\n\n\n
    Password :<\/p>\n\n\n\n
    URL :<\/p>\n\n\n\n
    Web Browser :<\/p>\n\n\n\n
    Browsers.txt<\/p>\n\n\n\n
    Password<\/p>\n\n\n\n
    \/stext<\/p>\n\n\n\n
    RecoverBrowsers<\/p>\n\n\n\n
    Outlook<\/p>\n\n\n\n
    _Thunder_bird<\/p>\n\n\n\n
    Eudora<\/p>\n\n\n\n
    Incredimail<\/p>\n\n\n\n
    Netscape<\/p>\n\n\n\n
    \\Mails.txt<\/p>\n\n\n\n
    RecoverMail<\/p>\n\n\n\n
    Application<\/p>\n\n\n\n
    Email :<\/p>\n\n\n\n
    Server :<\/p>\n\n\n\n
    Application :<\/p>\n\n\n\n
    kernel32<\/p>\n\n\n\n
    KeyBase<\/p>\n\n\n\n
    ntdll<\/p>\n\n\n\n
    LoadLibraryA<\/p>\n\n\n\n
    .dll<\/p>\n\n\n\n
    user32<\/p>\n\n\n\n
    $Set$Window$sHook$Ex$A$<\/p>\n\n\n\n
    These strings show that this file is a password stealer. It collects keystrokes and copies clipboard images then uploads them to hxxp:\/\/www.twentysixjune.biz\/jonoTwo-4sept-14oct\/image\/upload.php<\/strong>
    It also collects information from the following:<\/p>\n\n\n\n
    Software\\Paltalk\\<\/p>\n\n\n\n
    nickname<\/p>\n\n\n\n
    pwd<\/p>\n\n\n\n
    Program: FileZilla<\/p>\n\n\n\n
    FileZilla\\recentservers.xml<\/p>\n\n\n\n
    $\\jDow$nloader\\$config\\dat$abase.scr$ipt<\/p>\n\n\n\n
    JDownloader<\/p>\n\n\n\n
    IDM<\/p>\n\n\n\n
    Software\\IMVU\\username<\/p>\n\n\n\n
    Software\\IMVU\\password<\/p>\n\n\n\n
    Imvu<\/p>\n\n\n\n
    Chrome<\/p>\n\n\n\n
    Firefox<\/p>\n\n\n\n
    Internet Explorer<\/p>\n\n\n\n
    Opera<\/p>\n\n\n\n
    Safari<\/p>\n\n\n\n
    URL<\/p>\n\n\n\n
    User Name :<\/p>\n\n\n\n
    Password :<\/p>\n\n\n\n
    URL :<\/p>\n\n\n\n
    Web Browser :<\/p>\n\n\n\n
    Browsers.txt<\/p>\n\n\n\n
    Password<\/p>\n\n\n\n
    \/stext<\/p>\n\n\n\n
    RecoverBrowsers<\/p>\n\n\n\n
    Outlook<\/p>\n\n\n\n
    _Thunder_bird<\/p>\n\n\n\n
    Eudora<\/p>\n\n\n\n
    Incredimail<\/p>\n\n\n\n
    Netscape<\/p>\n\n\n\n
    \\Mails.txt<\/p>\n\n\n\n
    RecoverMail<\/p>\n\n\n\n
    Application<\/p>\n\n\n\n
    Email<\/p>\n\n\n\n
    Malicious URL<\/h3>\n\n\n\n
    hxxp:\/\/twentysixjune(.)biz<\/p>\n\n\n\n
    Ip address is: 80(.)82(.)78(.)57 : 80<\/p>\n\n\n\n
    This is the malicious url we found within the strings, even Virus Total flagged this url as malicious by six vendors.<\/p>\n\n\n\n
    https:\/\/virustotal.com\/en\/url\/03f84b1e66f394d4d506d16c44434136496399f7ed3cfeccb69c9725951d5ea2\/analysis\/1488780554<\/p>\n\n\n\n
    AegisLab WebGuard Malicious site<\/p>\n\n\n\n
    Sophos Malicious site<\/p>\n\n\n\n
    Trustwave Malicious site<\/p>\n\n\n\n
    BitDefender Malware site<\/p>\n\n\n\n
    Fortinet Malware site<\/p>\n\n\n\n
    G-Data Malware site<\/p>\n\n\n\n
    Code Injection<\/strong><\/p>\n\n\n\n
    Process                                                                                            Code size Virtual Address <\/strong>

    C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe    516096      400000

    C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe    364544      400000<\/p>\n\n\n\n
    Conclusion<\/strong>

    We recommend blocking the malicious URL and searching for the executable (sapp.exe) in the application data location then removing the sapp.exe.
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    This malware sample masquerading as a Proforma Invoice was identified through a recent spear phishing attack on one of our client networks. The sample in question is a .NET file and comes with the name \u2018Proforma Invoice\u2019. We are sharing it for the benefit of the community.<\/p>\n","protected":false},"author":1,"featured_media":1030,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-988","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/988","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=988"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/988\/revisions"}],"predecessor-version":[{"id":4081,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/988\/revisions\/4081"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1030"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}