Loading ...

Play interactive tourEdit tour

Analysis Report 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe

Overview

General Information

Sample Name:9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
MD5:5ebc3a47d7b4ec53d43b1619a15fa39b
SHA1:b454b6ee87a05346d87dfe1f349bccda15f8fe9f
SHA256:34840c650137249b8338d35ac51f0ab7a8909af35d6e79150d2bbe67e83e0af8

Most interesting Screenshot:

Detection

FormBook
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected FormBook
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x19369:$sqlite3step: 68 34 1C 7B E1
    • 0x1947c:$sqlite3step: 68 34 1C 7B E1
    • 0x19398:$sqlite3text: 68 38 2A 90 C5
    • 0x194bd:$sqlite3text: 68 38 2A 90 C5
    • 0x193ab:$sqlite3blob: 68 53 D8 7F 8C
    • 0x194d3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xa7f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xaa62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x166e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x161d1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x167e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1695f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xb5da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1544c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xc2d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ba57:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ca5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x177d9:$sqlite3step: 68 34 1C 7B E1
      • 0x178ec:$sqlite3step: 68 34 1C 7B E1
      • 0x17808:$sqlite3text: 68 38 2A 90 C5
      • 0x1792d:$sqlite3text: 68 38 2A 90 C5
      • 0x1781b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17943:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18429:$sqlite3step: 68 34 1C 7B E1
          • 0x1853c:$sqlite3step: 68 34 1C 7B E1
          • 0x18458:$sqlite3text: 68 38 2A 90 C5
          • 0x1857d:$sqlite3text: 68 38 2A 90 C5
          • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeJoe Sandbox ML: detected
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 4x nop then pop ebx2_2_00407AC5
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 4x nop then pop edi2_2_00417D88
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 4x nop then pop edi2_2_00417DA5

          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1102311038.0000000006486000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00419830 NtCreateFile,2_2_00419830
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_004198E0 NtReadFile,2_2_004198E0
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00419960 NtClose,2_2_00419960
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00419A10 NtAllocateVirtualMemory,2_2_00419A10
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041995C NtClose,2_2_0041995C
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00419A0A NtAllocateVirtualMemory,2_2_00419A0A
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041D01F2_2_0041D01F
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041C8F22_2_0041C8F2
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041DCFF2_2_0041DCFF
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00409F5B2_2_00409F5B
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041D75E2_2_0041D75E
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00409F602_2_00409F60
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00409F1A2_2_00409F1A
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeBinary or memory string: OriginalFilename vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1096572232.0000000003230000.00000004.00000001.sdmpBinary or memory string: OriginalFilename26.dll4 vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000000.1077575838.0000000000F42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenAebLgD.exe0 vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMYDLLSTUBSHARED.dll4 vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeBinary or memory string: OriginalFilename vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000002.00000002.1096216673.0000000000852000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenAebLgD.exe0 vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000002.00000002.1097277676.000000000131F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeBinary or memory string: OriginalFilenamenAebLgD.exe0 vs 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal64.troj.evad.winEXE@3/0@0/0
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe 'C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess created: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: l(costura.shutup_and_fuckof.pdb.compressed( source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1096572232.0000000003230000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000002.00000002.1097277676.000000000131F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000002.00000002.1097277676.000000000131F000.00000040.00000001.sdmp
          Source: Binary string: costura=costura.costura.dll.compressed#shutup_and_fuckofQcostura.shutup_and_fuckof.dll.compressedQcostura.shutup_and_fuckof.pdb.compressed source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe
          Source: Binary string: costura.shutup_and_fuckof.pdb.compressed source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe

          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_004179D8 push es; retf 2_2_004179D9
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041DACB push dword ptr [E16F5EB1h]; ret 2_2_0041DAED
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0040E370 push esp; iretd 2_2_0040E3CC
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00419B72 push esi; iretd 2_2_00419B7A
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041730B push es; ret 2_2_00417326
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041DB12 push dword ptr [E16F5EB1h]; ret 2_2_0041DAED
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041DB12 push dword ptr [E16F5EB1h]; ret 2_2_0041DAED
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0040E3CD push esp; iretd 2_2_0040E3CC
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0040E3DD push esp; iretd 2_2_0040E3CC
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00416CAB pushfd ; ret 2_2_00416CB8
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041A597 push cs; retf 2_2_0041A59F
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041C6F2 push eax; ret 2_2_0041C6F8
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041C6FB push eax; ret 2_2_0041C762
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041C6A5 push eax; ret 2_2_0041C6F8
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_0041C75C push eax; ret 2_2_0041C762
          Source: initial sampleStatic PE information: section name: .text entropy: 7.54538642003

          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00409A50 rdtsc 2_2_00409A50
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe TID: 5800Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess information queried: ProcessInformationJump to behavior

          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeCode function: 2_2_00409A50 rdtsc 2_2_00409A50
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeMemory allocated: page read and write | page guardJump to behavior

          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeProcess created: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeJump to behavior

          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeQueries volume information: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Source: 9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe, 00000000.00000002.1112889619.00000000091B0000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.1098919359.000000000437C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1099056654.00000000043F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1096131259.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1098411995.0000000004230000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.9ddd272a4f0ab26dd56ab3caa8968feee9989982463cff9486c395f7361abbd5-cleaned.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Winlogon Helper DLLProcess Injection11Software Packing3Credential DumpingVirtualization/Sandbox Evasion2Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureSecurity Software Discovery14Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesSystem Information Discovery112Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information3Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.