Loading ...

Play interactive tourEdit tour

Analysis Report ScanRFQ_569585.exe

Overview

General Information

Sample Name:ScanRFQ_569585.exe
MD5:fff36af0c29e1e45b4ed519f0e7dfbfb
SHA1:af7cb2dc654e284e0a4902d9e1ab7edf6bee506c
SHA256:a83ded2c7e7d33354eb933f465d2e300c1047bb8470b3bc7beb7dae83228b3e0

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ScanRFQ_569585.exe (PID: 5308 cmdline: 'C:\Users\user\Desktop\ScanRFQ_569585.exe' MD5: FFF36AF0C29E1E45B4ED519F0E7DFBFB)
    • explorer.exe (PID: 2864 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
      • msdt.exe (PID: 3704 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 45DB9D98DDBFEE0792D7E382D2EC13AC)
        • cmd.exe (PID: 4956 cmdline: /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 4024 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • xtktxhxv4kp.exe (PID: 5172 cmdline: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe MD5: FFF36AF0C29E1E45B4ED519F0E7DFBFB)
      • xtktxhxv4kp.exe (PID: 244 cmdline: 'C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe' MD5: FFF36AF0C29E1E45B4ED519F0E7DFBFB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x157b9:$sqlite3step: 68 34 1C 7B E1
      • 0x158cc:$sqlite3step: 68 34 1C 7B E1
      • 0x157e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1590d:$sqlite3text: 68 38 2A 90 C5
      • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 10 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: Steal Google chrome login dataShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\msdt.exe, ParentImage: C:\Windows\SysWOW64\msdt.exe, ParentProcessId: 3704, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 4024
      Sigma detected: File Created with System Process NameShow sources
      Source: File createdAuthor: Sander Wiebing: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 2864, TargetFilename: C:\Users\user\AppData\Local\Temp\Fa6_

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Fa6_\xtktxhxv4kp.exeVirustotal: Detection: 84%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\Fa6_\xtktxhxv4kp.exeReversingLabs: Detection: 74%
      Multi AV Scanner detection for submitted fileShow sources
      Source: ScanRFQ_569585.exeVirustotal: Detection: 84%Perma Link
      Source: ScanRFQ_569585.exeReversingLabs: Detection: 74%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1136896823.0000000001440000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1137273562.00000000014BD000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1492292182.0000000000170000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\Fa6_\xtktxhxv4kp.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: ScanRFQ_569585.exeJoe Sandbox ML: detected

      Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi3_2_0304511D

      Source: global trafficHTTP traffic detected: GET /q44/?NTKXiT=LO2u+MqMadpJTB4THMs8aduWDbfsr90SpvTVIb0t3BjtCVCQMYI2okVdFyMqt7//vUF6&fd20=4hv0BPvH-lcxLJj HTTP/1.1Host: www.healthtourisminturkey.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: GET /q44/?NTKXiT=LO2u+MqMadpJTB4THMs8aduWDbfsr90SpvTVIb0t3BjtCVCQMYI2okVdFyMqt7//vUF6&fd20=4hv0BPvH-lcxLJj HTTP/1.1Host: www.healthtourisminturkey.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.opebet946.com
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.c
      Source: explorer.exe, 00000002.00000002.1499736330.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://ns.microsoftom/photo/1.2/tD
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico7
      Source: explorer.exe, 00000002.00000000.1086224238.00000000030D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: msdt.exe, 00000003.00000002.1493862930.0000000000230000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
      Source: msdt.exe, 00000003.00000002.1493862930.0000000000230000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
      Source: msdt.exe, 00000003.00000002.1493862930.0000000000230000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpn
      Source: msdt.exe, 00000003.00000002.1493862930.0000000000230000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
      Source: msdt.exe, 00000003.00000002.1493862930.0000000000230000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp41N
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000002.00000000.1113165983.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/content/images/icons/Favicon_EdgeStart.ico
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&en7
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpString found in binary or memory: https://www.msn.com/spartan/ientplocale=en-US&market=US&enableregulatorypsm=0&enablecpsm=0&NTLogo=1&

      Source: ScanRFQ_569585.exe, 00000000.00000002.1136985515.0000000001470000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1136896823.0000000001440000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1137273562.00000000014BD000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.1492292182.0000000000170000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\SysWOW64\msdt.exeDropped file: C:\Users\user\AppData\Roaming\LPPdPRT3\LPPlogri.iniJump to dropped file
      Source: C:\Windows\SysWOW64\msdt.exeDropped file: C:\Users\user\AppData\Roaming\LPPdPRT3\LPPlogrf.iniJump to dropped file
      Source: C:\Windows\SysWOW64\msdt.exeDropped file: C:\Users\user\AppData\Roaming\LPPdPRT3\LPPlogrv.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.1136896823.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.1136896823.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.1137273562.00000000014BD000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.1137273562.00000000014BD000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.1492292182.0000000000170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.1492292182.0000000000170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A540 NtDelayExecution,LdrInitializeThunk,0_2_0558A540
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_0558A560
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_0558A5F0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A410 NtQueryInformationToken,LdrInitializeThunk,0_2_0558A410
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A480 NtMapViewOfSection,LdrInitializeThunk,0_2_0558A480
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_0558A4A0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A750 NtCreateFile,LdrInitializeThunk,0_2_0558A750
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_0558A700
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A720 NtResumeThread,LdrInitializeThunk,0_2_0558A720
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_0558A610
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A6A0 NtCreateSection,LdrInitializeThunk,0_2_0558A6A0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_0558A360
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_0558A3E0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A240 NtReadFile,LdrInitializeThunk,0_2_0558A240
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A2D0 NtClose,LdrInitializeThunk,0_2_0558A2D0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558BD40 NtSuspendThread,0_2_0558BD40
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A520 NtEnumerateKey,0_2_0558A520
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A5A0 NtWriteVirtualMemory,0_2_0558A5A0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A470 NtSetInformationFile,0_2_0558A470
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558B470 NtOpenThread,0_2_0558B470
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A460 NtOpenProcess,0_2_0558A460
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558B410 NtOpenProcessToken,0_2_0558B410
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A430 NtQueryVirtualMemory,0_2_0558A430
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558ACE0 NtCreateMutant,0_2_0558ACE0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A710 NtQuerySection,0_2_0558A710
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A780 NtOpenDirectoryObject,0_2_0558A780
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A650 NtQueueApcThread,0_2_0558A650
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A6D0 NtCreateProcessEx,0_2_0558A6D0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A800 NtSetValueKey,0_2_0558A800
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558B0B0 NtGetContextThread,0_2_0558B0B0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A470 NtSetInformationFile,LdrInitializeThunk,3_2_0465A470
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A410 NtQueryInformationToken,LdrInitializeThunk,3_2_0465A410
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465ACE0 NtCreateMutant,LdrInitializeThunk,3_2_0465ACE0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A480 NtMapViewOfSection,LdrInitializeThunk,3_2_0465A480
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A560 NtQuerySystemInformation,LdrInitializeThunk,3_2_0465A560
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A540 NtDelayExecution,LdrInitializeThunk,3_2_0465A540
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A610 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_0465A610
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A6A0 NtCreateSection,LdrInitializeThunk,3_2_0465A6A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A750 NtCreateFile,LdrInitializeThunk,3_2_0465A750
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A800 NtSetValueKey,LdrInitializeThunk,3_2_0465A800
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A260 NtWriteFile,LdrInitializeThunk,3_2_0465A260
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A240 NtReadFile,LdrInitializeThunk,3_2_0465A240
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A2D0 NtClose,LdrInitializeThunk,3_2_0465A2D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A360 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_0465A360
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A350 NtQueryValueKey,LdrInitializeThunk,3_2_0465A350
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A310 NtEnumerateValueKey,LdrInitializeThunk,3_2_0465A310
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A3E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_0465A3E0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A3D0 NtCreateKey,LdrInitializeThunk,3_2_0465A3D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A460 NtOpenProcess,3_2_0465A460
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465B470 NtOpenThread,3_2_0465B470
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A430 NtQueryVirtualMemory,3_2_0465A430
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465B410 NtOpenProcessToken,3_2_0465B410
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A4A0 NtUnmapViewOfSection,3_2_0465A4A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465BD40 NtSuspendThread,3_2_0465BD40
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A520 NtEnumerateKey,3_2_0465A520
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A5F0 NtReadVirtualMemory,3_2_0465A5F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A5A0 NtWriteVirtualMemory,3_2_0465A5A0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A650 NtQueueApcThread,3_2_0465A650
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A6D0 NtCreateProcessEx,3_2_0465A6D0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A720 NtResumeThread,3_2_0465A720
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A700 NtProtectVirtualMemory,3_2_0465A700
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A710 NtQuerySection,3_2_0465A710
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A780 NtOpenDirectoryObject,3_2_0465A780
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465B0B0 NtGetContextThread,3_2_0465B0B0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A220 NtWaitForSingleObject,3_2_0465A220
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465BA30 NtSetContextThread,3_2_0465BA30
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A2F0 NtQueryInformationFile,3_2_0465A2F0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0465A370 NtQueryInformationProcess,3_2_0465A370
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03046BC0 NtCreateFile,3_2_03046BC0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03046DA0 NtAllocateVirtualMemory,3_2_03046DA0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03046C70 NtReadFile,3_2_03046C70
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03046CF0 NtClose,3_2_03046CF0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03046BBA NtCreateFile,3_2_03046BBA
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_00C069020_2_00C06902
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05540D400_2_05540D40
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055EC53F0_2_055EC53F
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055615300_2_05561530
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056125190_2_05612519
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05601D1B0_2_05601D1B
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055FFDDB0_2_055FFDDB
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0560D5D20_2_0560D5D2
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055F1DE30_2_055F1DE3
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055EE58A0_2_055EE58A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0560E5810_2_0560E581
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0557547E0_2_0557547E
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055614100_2_05561410
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0555740C0_2_0555740C
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055FF42B0_2_055FF42B
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056044EF0_2_056044EF
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0560DCC50_2_0560DCC5
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056034900_2_05603490
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05612C9A0_2_05612C9A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05611C9F0_2_05611C9F
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056117460_2_05611746
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05611FCE0_2_05611FCE
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055657900_2_05565790
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056027820_2_05602782
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0560CE660_2_0560CE66
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055676400_2_05567640
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05575E700_2_05575E70
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05574E610_2_05574E61
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055766110_2_05576611
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056126F80_2_056126F8
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05603E960_2_05603E96
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0557594B0_2_0557594B
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055771100_2_05577110
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056119E20_2_056119E2
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056061DF0_2_056061DF
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055761800_2_05576180
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0561D9BE0_2_0561D9BE
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055710700_2_05571070
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055700210_2_05570021
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0560D0160_2_0560D016
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0557E0200_2_0557E020
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_056128E80_2_056128E8
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055748CB0_2_055748CB
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0555A0800_2_0555A080
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055F18B60_2_055F18B6
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0464547E3_2_0464547E
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046CF42B3_2_046CF42B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0462740C3_2_0462740C
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046314103_2_04631410
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D44EF3_2_046D44EF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046DDCC53_2_046DDCC5
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E1C9F3_2_046E1C9F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E2C9A3_2_046E2C9A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D34903_2_046D3490
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_04610D403_2_04610D40
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046315303_2_04631530
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046BC53F3_2_046BC53F
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D1D1B3_2_046D1D1B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E25193_2_046E2519
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046C1DE33_2_046C1DE3
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046CFDDB3_2_046CFDDB
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046DD5D23_2_046DD5D2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046BE58A3_2_046BE58A
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046DE5813_2_046DE581
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_04644E613_2_04644E61
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046DCE663_2_046DCE66
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_04645E703_2_04645E70
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046376403_2_04637640
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046466113_2_04646611
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E26F83_2_046E26F8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D3E963_2_046D3E96
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E17463_2_046E1746
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E1FCE3_2_046E1FCE
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D27823_2_046D2782
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046357903_2_04635790
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046410703_2_04641070
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0464E0203_2_0464E020
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046400213_2_04640021
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046498103_2_04649810
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046DD0163_2_046DD016
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E28E83_2_046E28E8
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046448CB3_2_046448CB
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046C18B63_2_046C18B6
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0462A0803_2_0462A080
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0464594B3_2_0464594B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046699063_2_04669906
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046471103_2_04647110
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E19E23_2_046E19E2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D61DF3_2_046D61DF
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046ED9BE3_2_046ED9BE
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046461803_2_04646180
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_04644A5B3_2_04644A5B
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0464523D3_2_0464523D
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046D0A023_2_046D0A02
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046EE2143_2_046EE214
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E22DD3_2_046E22DD
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046342B03_2_046342B0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046E1A993_2_046E1A99
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0463FB403_2_0463FB40
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0461EBE03_2_0461EBE0
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_046463C23_2_046463C2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_04644B963_2_04644B96
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03049B263_2_03049B26
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0304AAD23_2_0304AAD2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0304B1A03_2_0304B1A0
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCode function: 13_2_008E690213_2_008E6902
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0461B0E0 appears 176 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 046A5110 appears 38 times
      Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0466DDE8 appears 43 times
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: String function: 0554B0E0 appears 140 times
      Source: ScanRFQ_569585.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: xtktxhxv4kp.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ScanRFQ_569585.exe, 00000000.00000003.1133331846.00000000031A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs ScanRFQ_569585.exe
      Source: ScanRFQ_569585.exe, 00000000.00000002.1145290918.000000000563F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ScanRFQ_569585.exe
      Source: C:\Windows\SysWOW64\msdt.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
      Source: 00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.1498285747.0000000003030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.1136794874.00000000012F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.1136896823.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.1136896823.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.1137273562.00000000014BD000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.1137273562.00000000014BD000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000003.00000002.1492292182.0000000000170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000003.00000002.1492292182.0000000000170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: explorer.exe, 00000002.00000000.1117370776.000000000F912000.00000004.00000001.sdmpBinary or memory string: \Registry\Machine\Software\Classes\SystemFileAssociations\.vbprojfgtopBackground\shellex\ContextMenuHandlers\DesktopSlideshowAppData
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/8@8/1
      Source: C:\Windows\SysWOW64\msdt.exeFile created: C:\Users\user\AppData\Roaming\LPPdPRT3Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:556:120:WilError_01
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Fa6_Jump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_00C012C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_00C012C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_00C012C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_00C012C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_00C012C0
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCommand line argument: ShowDib113_2_008E12C0
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCommand line argument: ShowDib113_2_008E12C0
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCommand line argument: ShowDib113_2_008E12C0
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCommand line argument: ShowDib113_2_008E12C0
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCommand line argument: ShowDib113_2_008E12C0
      Source: ScanRFQ_569585.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: ScanRFQ_569585.exeVirustotal: Detection: 84%
      Source: ScanRFQ_569585.exeReversingLabs: Detection: 74%
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeFile read: C:\Users\user\Desktop\ScanRFQ_569585.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\ScanRFQ_569585.exe 'C:\Users\user\Desktop\ScanRFQ_569585.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe
      Source: unknownProcess created: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe 'C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe 'C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeFile written: C:\Users\user\AppData\Roaming\LPPdPRT3\LPPlogri.iniJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: ScanRFQ_569585.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.1112319919.000000000AAB0000.00000002.00000001.sdmp
      Source: Binary string: msdt.pdbGCTL source: ScanRFQ_569585.exe, 00000000.00000003.1133331846.00000000031A0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: ScanRFQ_569585.exe, 00000000.00000002.1143647904.0000000005520000.00000040.00000001.sdmp, msdt.exe, 00000003.00000002.1498701251.00000000045F0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: ScanRFQ_569585.exe, msdt.exe
      Source: Binary string: C:\Users\Good Gold\Desktop\SHOWDIB1\Release\SHOWDIB1.pdbxx source: ScanRFQ_569585.exe
      Source: Binary string: C:\Users\Good Gold\Desktop\SHOWDIB1\Release\SHOWDIB1.pdb source: ScanRFQ_569585.exe
      Source: Binary string: msdt.pdb source: ScanRFQ_569585.exe, 00000000.00000003.1133331846.00000000031A0000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.1112319919.000000000AAB0000.00000002.00000001.sdmp
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_00C0463A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C0463A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_00C031C5 push ecx; ret 0_2_00C031D8
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0559DE2D push ecx; ret 0_2_0559DE40
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0466DE2D push ecx; ret 3_2_0466DE40
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03049A35 push eax; ret 3_2_03049A88
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03049A82 push eax; ret 3_2_03049A88
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03049A8B push eax; ret 3_2_03049AF2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_03049AEC push eax; ret 3_2_03049AF2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0304B159 push ebp; ret 3_2_0304B19E
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_0304B1A0 push dword ptr [E482D374h]; ret 3_2_0304B5B2
      Source: C:\Windows\SysWOW64\msdt.exeCode function: 3_2_030489B2 pushad ; iretd 3_2_030489B4
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeCode function: 13_2_008E31C5 push ecx; ret 13_2_008E31D8

      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Fa6_\xtktxhxv4kp.exeJump to dropped file

      Source: C:\Windows\SysWOW64\msdt.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VDYLP6CXXPZJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run VDYLP6CXXPZJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x03 0x31
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeRDTSC instruction interceptor: First address: 00000000014C4DD4 second address: 00000000014C4DDA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeRDTSC instruction interceptor: First address: 00000000014C503E second address: 00000000014C5044 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000003037244 second address: 000000000303724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000030374AE second address: 00000000030374B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05615595 rdtsc 0_2_05615595
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-3791
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeAPI coverage: 8.6 %
      Source: C:\Windows\SysWOW64\msdt.exeAPI coverage: 5.4 %
      Source: C:\Windows\explorer.exe TID: 5192Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000002.00000000.1106542108.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000002.00000000.1106542108.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: explorer.exe, 00000002.00000000.1106542108.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: msdt.exe, 00000003.00000002.1494760216.00000000002AE000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000002.00000000.1106542108.0000000007BA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeAPI call chain: ExitProcess graph end nodegraph_0-20728
      Source: C:\Program Files (x86)\Fa6_\xtktxhxv4kp.exeAPI call chain: ExitProcess graph end nodegraph_13-3793
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeProcess information queried: ProcessInformationJump to behavior

      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05615595 rdtsc 0_2_05615595
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0558A540 NtDelayExecution,LdrInitializeThunk,0_2_0558A540
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_00C034F6 _memset,IsDebuggerPresent,0_2_00C034F6
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_00C0463A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C0463A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_00C0463A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C0463A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0557056B mov eax, dword ptr fs:[00000030h]0_2_0557056B
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_055D3D10 mov eax, dword ptr fs:[00000030h]0_2_055D3D10
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05561530 mov eax, dword ptr fs:[00000030h]0_2_05561530
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05561530 mov eax, dword ptr fs:[00000030h]0_2_05561530
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05561530 mov eax, dword ptr fs:[00000030h]0_2_05561530
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05561530 mov eax, dword ptr fs:[00000030h]0_2_05561530
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_05561530 mov eax, dword ptr fs:[00000030h]0_2_05561530
      Source: C:\Users\user\D