Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Siggen9.57461.12541.13331

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Siggen9.57461.12541.13331 (renamed file extension from 13331 to exe)
Analysis ID:255608
MD5:3b5cc52ebfb46933d7665cf6125d9b72
SHA1:aefd3a17e58fd0eb96422d66f06ee75bf0cfee8b
SHA256:48b81558e59b18c3d20b057608cf34821e4dbf7779a69af50530c611dac0738e

Most interesting Screenshot:

Detection

FormBook
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe (PID: 2836 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe' MD5: 3B5CC52EBFB46933D7665CF6125D9B72)
    • SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe (PID: 5936 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe' MD5: 3B5CC52EBFB46933D7665CF6125D9B72)
      • conhost.exe (PID: 4224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MpCmdRun.exe (PID: 5936 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 1 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 4x nop then pop esi3_2_0041736E

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00419830 NtCreateFile,3_2_00419830
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_004198E0 NtReadFile,3_2_004198E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00419960 NtClose,3_2_00419960
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00419A10 NtAllocateVirtualMemory,3_2_00419A10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_004198DA NtReadFile,3_2_004198DA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041995D NtClose,3_2_0041995D
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00419A0A NtAllocateVirtualMemory,3_2_00419A0A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239860 NtQuerySystemInformation,LdrInitializeThunk,3_2_02239860
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_02239660
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022396E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_022396E0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239A20 NtResumeThread,3_2_02239A20
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239A00 NtProtectVirtualMemory,3_2_02239A00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239A10 NtQuerySection,3_2_02239A10
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239A50 NtCreateFile,3_2_02239A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239A80 NtOpenDirectoryObject,3_2_02239A80
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239B00 NtSetValueKey,3_2_02239B00
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0223A3B0 NtGetContextThread,3_2_0223A3B0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0040102E3_2_0040102E
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041DA093_2_0041DA09
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041CBCA3_2_0041CBCA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00402D8F3_2_00402D8F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00409F5C3_2_00409F5C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00409F603_2_00409F60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041CF293_2_0041CF29
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041D7993_2_0041D799
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022C22AE3_2_022C22AE
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022C2B283_2_022C2B28
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0222EBB03_2_0222EBB0
          Source: SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe, 00000000.00000002.277821139.000000000240F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe
          Source: SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe, 00000003.00000002.282682544.00000000022EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe
          Source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal84.troj.evad.winEXE@5/1@0/0
          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4224:120:WilError_01
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe'
          Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe' Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe, 00000000.00000002.277697333.00000000022F0000.00000040.00000001.sdmp, SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe, 00000003.00000002.282682544.00000000022EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeUnpacked PE file: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:ER; vs .text:ER;
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_024869D2 pushad ; iretd 0_3_02486AC2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02486A69 pushad ; iretd 0_3_02486AC2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02488069 push es; ret 0_3_0248806A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02486A18 pushad ; iretd 0_3_02486AC2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02486A90 pushad ; iretd 0_3_02486AC2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_024891B1 pushad ; iretd 0_3_024891B2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02285621 pushfd ; ret 0_3_0228578A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02286C49 pushad ; iretd 0_3_02286C4A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02284FA9 pushad ; iretd 0_3_02284FBA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_022867BE pushad ; retf 0001h0_3_022869DD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_0228FB8F pushad ; iretd 0_3_0228FBA1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 0_3_02285F91 push es; ret 0_3_02285F92
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041691B push esi; iretd 3_2_00416926
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041DD3E push ebp; ret 3_2_0041DD45
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041C6F2 push eax; ret 3_2_0041C6F8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041C6FB push eax; ret 3_2_0041C762
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041C6A5 push eax; ret 3_2_0041C6F8
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041C75C push eax; ret 3_2_0041C762
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0041D790 push esp; ret 3_2_0041D791
          Source: initial sampleStatic PE information: section name: .rsrc entropy: 7.77054241361

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeMemory written: PID: 5936 base: 76F29930 value: E9 CB 66 29 89 Jump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeRDTSC instruction interceptor: First address: 00000000004C7AA8 second address: 00000000004C7AB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F131C974B56h 0x00000004 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00409A50 rdtsc 3_2_00409A50
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_00409A50 rdtsc 3_2_00409A50
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02239860 NtQuerySystemInformation,LdrInitializeThunk,3_2_02239860
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021FAA16 mov eax, dword ptr fs:[00000030h]3_2_021FAA16
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021FAA16 mov eax, dword ptr fs:[00000030h]3_2_021FAA16
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02234A2C mov eax, dword ptr fs:[00000030h]3_2_02234A2C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02234A2C mov eax, dword ptr fs:[00000030h]3_2_02234A2C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F5210 mov eax, dword ptr fs:[00000030h]3_2_021F5210
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F5210 mov ecx, dword ptr fs:[00000030h]3_2_021F5210
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F5210 mov eax, dword ptr fs:[00000030h]3_2_021F5210
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F5210 mov eax, dword ptr fs:[00000030h]3_2_021F5210
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02208A0A mov eax, dword ptr fs:[00000030h]3_2_02208A0A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02213A1C mov eax, dword ptr fs:[00000030h]3_2_02213A1C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022AB260 mov eax, dword ptr fs:[00000030h]3_2_022AB260
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022AB260 mov eax, dword ptr fs:[00000030h]3_2_022AB260
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022C8A62 mov eax, dword ptr fs:[00000030h]3_2_022C8A62
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0223927A mov eax, dword ptr fs:[00000030h]3_2_0223927A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F9240 mov eax, dword ptr fs:[00000030h]3_2_021F9240
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F9240 mov eax, dword ptr fs:[00000030h]3_2_021F9240
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F9240 mov eax, dword ptr fs:[00000030h]3_2_021F9240
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F9240 mov eax, dword ptr fs:[00000030h]3_2_021F9240
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02284257 mov eax, dword ptr fs:[00000030h]3_2_02284257
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0220AAB0 mov eax, dword ptr fs:[00000030h]3_2_0220AAB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0220AAB0 mov eax, dword ptr fs:[00000030h]3_2_0220AAB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0222FAB0 mov eax, dword ptr fs:[00000030h]3_2_0222FAB0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0222D294 mov eax, dword ptr fs:[00000030h]3_2_0222D294
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0222D294 mov eax, dword ptr fs:[00000030h]3_2_0222D294
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F52A5 mov eax, dword ptr fs:[00000030h]3_2_021F52A5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F52A5 mov eax, dword ptr fs:[00000030h]3_2_021F52A5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F52A5 mov eax, dword ptr fs:[00000030h]3_2_021F52A5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F52A5 mov eax, dword ptr fs:[00000030h]3_2_021F52A5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021F52A5 mov eax, dword ptr fs:[00000030h]3_2_021F52A5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02222AE4 mov eax, dword ptr fs:[00000030h]3_2_02222AE4
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02222ACB mov eax, dword ptr fs:[00000030h]3_2_02222ACB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022B131B mov eax, dword ptr fs:[00000030h]3_2_022B131B
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021FF358 mov eax, dword ptr fs:[00000030h]3_2_021FF358
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02223B7A mov eax, dword ptr fs:[00000030h]3_2_02223B7A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02223B7A mov eax, dword ptr fs:[00000030h]3_2_02223B7A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021FDB40 mov eax, dword ptr fs:[00000030h]3_2_021FDB40
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022C8B58 mov eax, dword ptr fs:[00000030h]3_2_022C8B58
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_021FDB60 mov ecx, dword ptr fs:[00000030h]3_2_021FDB60
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022C5BA5 mov eax, dword ptr fs:[00000030h]3_2_022C5BA5
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02224BAD mov eax, dword ptr fs:[00000030h]3_2_02224BAD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02224BAD mov eax, dword ptr fs:[00000030h]3_2_02224BAD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02224BAD mov eax, dword ptr fs:[00000030h]3_2_02224BAD
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022B138A mov eax, dword ptr fs:[00000030h]3_2_022B138A
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_022AD380 mov ecx, dword ptr fs:[00000030h]3_2_022AD380
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02201B8F mov eax, dword ptr fs:[00000030h]3_2_02201B8F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02201B8F mov eax, dword ptr fs:[00000030h]3_2_02201B8F
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_0222B390 mov eax, dword ptr fs:[00000030h]3_2_0222B390
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeCode function: 3_2_02222397 mov eax, dword ptr fs:[00000030h]3_2_02222397

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Hijacks the control flow in another processShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeMemory written: PID: 5936 base: 76F29930 value: E9Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe' Jump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.277638242.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.280030287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.Siggen9.57461.12541.exe.22b0000.1.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection211Virtualization/Sandbox Evasion1Credential API Hooking1Security Software Discovery12Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsSoftware Packing11LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection211Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.