Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.1892

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.1892 (renamed file extension from 1892 to exe)
Analysis ID:284140
MD5:530d878ec44087ad5a093ab63fdc83e9
SHA1:11b13b81158be68a6f8b7d830c442f839ebe15b7
SHA256:3193ed42b2ca069021c15541f97fd6033c8cabd7f4d858a1d1969232dcdf12be

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe' MD5: 530D878EC44087AD5A093AB63FDC83E9)
    • ieinstal.exe (PID: 7100 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 5348 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.251878722.0000000002AAC000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0xf6c:$file: URL=
  • 0xf50:$url_explicit: [InternetShortcut]
00000000.00000003.251878722.0000000002AAC000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0xf98:$icon: IconFile=
  • 0xf50:$url_explicit: [InternetShortcut]
00000000.00000003.252686303.0000000002ADC000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1ad4:$file: URL=
  • 0x1ab8:$url_explicit: [InternetShortcut]
00000000.00000003.252686303.0000000002ADC000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1b00:$icon: IconFile=
  • 0x1ab8:$url_explicit: [InternetShortcut]
0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.2.ieinstal.exe.10410000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      5.2.ieinstal.exe.10410000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      5.2.ieinstal.exe.10410000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17649:$sqlite3step: 68 34 1C 7B E1
      • 0x1775c:$sqlite3step: 68 34 1C 7B E1
      • 0x17678:$sqlite3text: 68 38 2A 90 C5
      • 0x1779d:$sqlite3text: 68 38 2A 90 C5
      • 0x1768b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
      5.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 1 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeAvira: detected
        Multi AV Scanner detection for domain / URLShow sources
        Source: http://www.joomlas123.info/n7ak/Virustotal: Detection: 10%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeVirustotal: Detection: 41%Perma Link
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeReversingLabs: Detection: 27%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.307592061.0000000003390000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.312249405.0000000010410000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.490491757.00000000035D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.307617934.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.483754094.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 5.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeJoe Sandbox ML: detected
        Source: 5.2.ieinstal.exe.10410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop edi5_2_10426D4E
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi15_2_00F36D55
        Source: Joe Sandbox ViewIP Address: 162.159.133.233 162.159.133.233
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ocsp.thawte.com0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://s.symcd.com06
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://s2.symcb.com0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://sf.symcb.com/sf.crl0a
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://sf.symcd.com0&
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://sv.symcd.com0&
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://www.360.cn
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.airteloffer.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.airteloffer.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.airteloffer.com/n7ak/www.vanjacob.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.airteloffer.comReferer:
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.arikorin.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.arikorin.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.arikorin.com/n7ak/www.wwwjinsha155.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.arikorin.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.belviderewrestling.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.belviderewrestling.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.belviderewrestling.com/n7ak/www.hypersarv.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.belviderewrestling.comReferer:
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.com/n7ak/www.arikorin.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.huro14.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.com/n7ak/www.texastrustedinsurance.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hydrabadproperties.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hypersarv.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hypersarv.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hypersarv.com/n7ak/www.thaimart1.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.hypersarv.comReferer:
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.info/n7ak/www.profileorderflow.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.joomlas123.infoReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.overall789.top
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.overall789.top/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.overall789.top/n7ak/www.joomlas123.info
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.overall789.topReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.profileorderflow.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.profileorderflow.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.profileorderflow.com/n7ak/www.hydrabadproperties.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.profileorderflow.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.com/n7ak/www.tgyaa.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.s-immotanger.comReferer:
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.sellingforcreators.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.sellingforcreators.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.sellingforcreators.com/n7ak/www.huro14.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.sellingforcreators.comReferer:
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://www.symauth.com/cps0(
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: http://www.symauth.com/rpa00
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.texastrustedinsurance.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.texastrustedinsurance.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.texastrustedinsurance.com/n7ak/www.airteloffer.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.texastrustedinsurance.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.tgyaa.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.tgyaa.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.tgyaa.com/n7ak/www.belviderewrestling.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.tgyaa.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.thaimart1.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.thaimart1.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.thaimart1.com/n7ak/www.overall789.top
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.thaimart1.comReferer:
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.vanjacob.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.vanjacob.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.vanjacob.com/n7ak/Micr&
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.vanjacob.comReferer:
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwjinsha155.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwjinsha155.com/n7ak/
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwjinsha155.com/n7ak/www.s-immotanger.com
        Source: explorer.exe, 00000006.00000002.501581012.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwjinsha155.comReferer:
        Source: explorer.exe, 00000006.00000000.284591688.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: https://d.symcb.com/cps0%
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: https://d.symcb.com/rpa0
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeString found in binary or memory: https://d.symcb.com/rpa0.
        Source: explorer.exe, 0000000F.00000002.490885415.0000000003907000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
        Source: explorer.exe, 0000000F.00000002.491459558.00000000039A4000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
        Source: explorer.exe, 0000000F.00000002.483630683.0000000000EE8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
        Source: explorer.exe, 0000000F.00000002.490885415.0000000003907000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
        Source: explorer.exe, 0000000F.00000002.491459558.00000000039A4000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033u
        Source: explorer.exe, 0000000F.00000002.490885415.0000000003907000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
        Source: explorer.exe, 0000000F.00000002.491459558.00000000039A4000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.307592061.0000000003390000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.312249405.0000000010410000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.490491757.00000000035D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.307617934.00000000033C0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.483754094.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 5.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Detected FormBook malwareShow sources
        Source: C:\Windows\SysWOW64\explorer.exeDropped file: C:\Users\user\AppData\Roaming\KP63BSE2\KP6logri.iniJump to dropped file
        Source: C:\Windows\SysWOW64\explorer.exeDropped file: C:\Users\user\AppData\Roaming\KP63BSE2\KP6logrv.iniJump to dropped file
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000005.00000002.307592061.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000005.00000002.307592061.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000005.00000002.312249405.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000005.00000002.312249405.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.490491757.00000000035D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.490491757.00000000035D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000005.00000002.307617934.00000000033C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000005.00000002.307617934.00000000033C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.483754094.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.483754094.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 5.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 5.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 5.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 5.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9540 NtReadFile,LdrInitializeThunk,5_2_050C9540
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C95D0 NtClose,LdrInitializeThunk,5_2_050C95D0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9710 NtQueryInformationToken,LdrInitializeThunk,5_2_050C9710
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9780 NtMapViewOfSection,LdrInitializeThunk,5_2_050C9780
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C97A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_050C97A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_050C9660
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_050C96E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_050C9910
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C99A0 NtCreateSection,LdrInitializeThunk,5_2_050C99A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9840 NtDelayExecution,LdrInitializeThunk,5_2_050C9840
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_050C9860
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C98F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_050C98F0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_050C9A00
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9A20 NtResumeThread,LdrInitializeThunk,5_2_050C9A20
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9A50 NtCreateFile,LdrInitializeThunk,5_2_050C9A50
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9520 NtWaitForSingleObject,5_2_050C9520
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050CAD30 NtSetContextThread,5_2_050CAD30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9560 NtWriteFile,5_2_050C9560
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C95F0 NtQueryInformationFile,5_2_050C95F0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050CA710 NtOpenProcessToken,5_2_050CA710
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9730 NtQueryVirtualMemory,5_2_050C9730
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9760 NtOpenProcess,5_2_050C9760
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050CA770 NtOpenThread,5_2_050CA770
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9770 NtSetInformationFile,5_2_050C9770
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9FE0 NtCreateMutant,5_2_050C9FE0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9610 NtEnumerateValueKey,5_2_050C9610
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9650 NtQueryValueKey,5_2_050C9650
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9670 NtQueryInformationProcess,5_2_050C9670
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C96D0 NtCreateKey,5_2_050C96D0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9950 NtQueueApcThread,5_2_050C9950
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C99D0 NtCreateProcessEx,5_2_050C99D0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9820 NtEnumerateKey,5_2_050C9820
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050CB040 NtSuspendThread,5_2_050CB040
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C98A0 NtWriteVirtualMemory,5_2_050C98A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9B00 NtSetValueKey,5_2_050C9B00
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050CA3B0 NtGetContextThread,5_2_050CA3B0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9A10 NtQuerySection,5_2_050C9A10
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C9A80 NtOpenDirectoryObject,5_2_050C9A80
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10429850 NtCreateFile,5_2_10429850
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10429900 NtReadFile,5_2_10429900
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10429980 NtClose,5_2_10429980
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10429A30 NtAllocateVirtualMemory,5_2_10429A30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_104298FA NtReadFile,5_2_104298FA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_1042997A NtClose,5_2_1042997A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10429A2A NtAllocateVirtualMemory,5_2_10429A2A
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9560 NtWriteFile,LdrInitializeThunk,15_2_057D9560
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9540 NtReadFile,LdrInitializeThunk,15_2_057D9540
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_057D9910
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D95D0 NtClose,LdrInitializeThunk,15_2_057D95D0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D99A0 NtCreateSection,LdrInitializeThunk,15_2_057D99A0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_057D9860
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9840 NtDelayExecution,LdrInitializeThunk,15_2_057D9840
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9770 NtSetInformationFile,LdrInitializeThunk,15_2_057D9770
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9710 NtQueryInformationToken,LdrInitializeThunk,15_2_057D9710
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9B00 NtSetValueKey,LdrInitializeThunk,15_2_057D9B00
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9FE0 NtCreateMutant,LdrInitializeThunk,15_2_057D9FE0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9780 NtMapViewOfSection,LdrInitializeThunk,15_2_057D9780
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_057D9660
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9650 NtQueryValueKey,LdrInitializeThunk,15_2_057D9650
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9A50 NtCreateFile,LdrInitializeThunk,15_2_057D9A50
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9610 NtEnumerateValueKey,LdrInitializeThunk,15_2_057D9610
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_057D96E0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D96D0 NtCreateKey,LdrInitializeThunk,15_2_057D96D0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9950 NtQueueApcThread,15_2_057D9950
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057DAD30 NtSetContextThread,15_2_057DAD30
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9520 NtWaitForSingleObject,15_2_057D9520
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D95F0 NtQueryInformationFile,15_2_057D95F0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D99D0 NtCreateProcessEx,15_2_057D99D0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057DB040 NtSuspendThread,15_2_057DB040
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9820 NtEnumerateKey,15_2_057D9820
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D98F0 NtReadVirtualMemory,15_2_057D98F0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D98A0 NtWriteVirtualMemory,15_2_057D98A0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057DA770 NtOpenThread,15_2_057DA770
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9760 NtOpenProcess,15_2_057D9760
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9730 NtQueryVirtualMemory,15_2_057D9730
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057DA710 NtOpenProcessToken,15_2_057DA710
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057DA3B0 NtGetContextThread,15_2_057DA3B0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D97A0 NtUnmapViewOfSection,15_2_057D97A0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9670 NtQueryInformationProcess,15_2_057D9670
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9A20 NtResumeThread,15_2_057D9A20
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9A10 NtQuerySection,15_2_057D9A10
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9A00 NtProtectVirtualMemory,15_2_057D9A00
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057D9A80 NtOpenDirectoryObject,15_2_057D9A80
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F39850 NtCreateFile,15_2_00F39850
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F39980 NtClose,15_2_00F39980
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F39900 NtReadFile,15_2_00F39900
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F39A30 NtAllocateVirtualMemory,15_2_00F39A30
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F398FA NtReadFile,15_2_00F398FA
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F3997A NtClose,15_2_00F3997A
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F39A2A NtAllocateVirtualMemory,15_2_00F39A2A
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_023170640_3_02317064
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_05152D075_2_05152D07
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_05080D205_2_05080D20
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_05151D555_2_05151D55
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_051525DD5_2_051525DD
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0509D5E05_2_0509D5E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0509841F5_2_0509841F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0514D4665_2_0514D466
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0515DFCE5_2_0515DFCE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_05151FF15_2_05151FF1
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0514D6165_2_0514D616
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050A6E305_2_050A6E30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_05152EF75_2_05152EF7
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0508F9005_2_0508F900
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050A41205_2_050A4120
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_051410025_2_05141002
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0515E8245_2_0515E824
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0509B0905_2_0509B090
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050B20A05_2_050B20A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_051520A85_2_051520A8
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_051528EC5_2_051528EC
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_05152B285_2_05152B28
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050BEBB05_2_050BEBB0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_0514DBD25_2_0514DBD2
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_051403DA5_2_051403DA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_051522AE5_2_051522AE
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_1042D80C5_2_1042D80C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_104110275_2_10411027
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_104110305_2_10411030
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_1042D1415_2_1042D141
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_104111765_2_10411176
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_1042C9D95_2_1042C9D9
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_1042CC955_2_1042CC95
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10412D885_2_10412D88
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10412D905_2_10412D90
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_1042DF0C5_2_1042DF0C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10419F805_2_10419F80
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_10412FB05_2_10412FB0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05790D2015_2_05790D20
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057B412015_2_057B4120
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0579F90015_2_0579F900
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057AD5E015_2_057AD5E0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_05861D5515_2_05861D55
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057A841F15_2_057A841F
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_0585100215_2_05851002
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057AB09015_2_057AB090
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057CEBB015_2_057CEBB0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_057B6E3015_2_057B6E30
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F3D80C15_2_00F3D80C
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F3C9D915_2_00F3C9D9
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F3D14115_2_00F3D141
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F3CC9515_2_00F3CC95
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F22D9015_2_00F22D90
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F22D8815_2_00F22D88
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F22FB015_2_00F22FB0
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F29F8015_2_00F29F80
        Source: C:\Windows\SysWOW64\explorer.exeCode function: 15_2_00F3DF0C15_2_00F3DF0C
        Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0579B150 appears 32 times
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 0508B150 appears 35 times
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeStatic PE information: invalid certificate
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe, 00000000.00000000.217950477.00000000004B1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProcexp.exeB vs SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe, 00000000.00000000.217950477.00000000004B1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebn, vs SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeBinary or memory string: OriginalFilenameProcexp.exeB vs SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeBinary or memory string: OriginalFilenamebn, vs SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe
        Source: 00000000.00000003.251878722.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.251878722.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.252686303.0000000002ADC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252686303.0000000002ADC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.490362004.00000000035A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.249232147.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.249232147.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.252416229.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252416229.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.250571861.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.250571861.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000005.00000002.307592061.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000005.00000002.307592061.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000005.00000002.312249405.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000005.00000002.312249405.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.252144494.0000000002A7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252144494.0000000002A7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000000F.00000002.490491757.00000000035D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.490491757.00000000035D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.251780833.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.251780833.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000005.00000002.307617934.00000000033C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000005.00000002.307617934.00000000033C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.251986914.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.251986914.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000000F.00000002.483754094.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.483754094.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.252067920.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252067920.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.248407548.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.248407548.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.248569192.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.248569192.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.252174904.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252174904.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.248254843.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.248254843.0000000002AC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.252527950.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252527950.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.252232973.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.252232973.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.248076978.0000000002AA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.248076978.0000000002AA8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.251704041.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.251704041.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.251601842.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.251601842.0000000002AAC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 5.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 5.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 5.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 5.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/4@10/2
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\Orftttt[1]Jump to behavior
        Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\KP63BSE2\KP6logri.iniJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeVirustotal: Detection: 41%
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeReversingLabs: Detection: 27%
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exe'
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeFile written: C:\Users\user\AppData\Roaming\KP63BSE2\KP6logri.iniJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
        Source: Binary string: explorer.pdbUGP source: ieinstal.exe, 00000005.00000002.308726415.0000000005390000.00000040.00000001.sdmp
        Source: Binary string: ieinstal.pdbGCTL source: explorer.exe, 0000000F.00000002.492956643.0000000005C9F000.00000004.00000001.sdmp
        Source: Binary string: ieinstal.pdb source: explorer.exe, 0000000F.00000002.492956643.0000000005C9F000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000005.00000002.308000410.0000000005060000.00000040.00000001.sdmp, explorer.exe, 0000000F.00000002.492499036.000000000588F000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: ieinstal.exe, explorer.exe
        Source: Binary string: explorer.pdb source: ieinstal.exe, 00000005.00000002.308726415.0000000005390000.00000040.00000001.sdmp
        Source: SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeStatic PE information: real checksum: 0xceb97 should be: 0xce741
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022B081A push ds; retf 0_3_022B0836
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022B5C41 push ds; ret 0_3_022B5D60
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022B0889 push ds; retf 0_3_022B0836
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022B5D34 push ds; ret 0_3_022B5D60
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022B7FA7 push ds; retf 0_3_022B7FC8
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230D204 push 0041A460h; ret 0_3_0230D228
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02311A64 push 0041ECCCh; ret 0_3_02311A94
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02321268 push 004066F4h; ret 0_3_0232128C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022F9270 push 004064CCh; ret 0_3_022F9294
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230D244 push 0041A4A0h; ret 0_3_0230D268
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230D2B4 push 0041A510h; ret 0_3_0230D2D8
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022F92A8 push 00406504h; ret 0_3_022F92CC
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02328288 push 0040D714h; ret 0_3_023282AC
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02328AE8 push 0040DF74h; ret 0_3_02328B0C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_023082D8 push 0041557Eh; ret 0_3_02308346
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02311ADC push 0041ED38h; ret 0_3_02311B00
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_023282C0 push 0040D74Ch; ret 0_3_023282E4
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230D30C push 0041A568h; ret 0_3_0230D330
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022FFB64 push 0040CE03h; ret 0_3_022FFBCB
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02308350 push 00415628h; ret 0_3_023083F0
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02322B54 push ecx; mov dword ptr [esp], eax0_3_02322B55
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02321078 push 00406504h; ret 0_3_0232109C
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02321040 push 004064CCh; ret 0_3_02321064
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230D0C0 push 0041A39Bh; ret 0_3_0230D163
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_023128C4 push 0041FB71h; ret 0_3_02312939
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02327934 push 0040CE03h; ret 0_3_0232799B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230E114 push 0041B37Ch; ret 0_3_0230E144
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_0230D170 push 0041A430h; ret 0_3_0230D1F8
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_022FF9E4 push 0040CD90h; ret 0_3_022FFB58
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_023279DC push 0040CE68h; ret 0_3_02327A00
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Stealer.29274.13916.exeCode function: 0_3_02312E18 push 004200B0h; ret 0_3_02312E78

        Boot Survival:

        barindex
        Creates an undocumented autostart registry key Show sources
        Source: C:\Windows\SysWOW64\explorer.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run QLRPEV505RVJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Modifies the prolog of user mode functions (user mode inline hooks)Show sources
        Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x93 0x38
        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 00000000104198B4 second address: 00000000104198BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeRDTSC instruction interceptor: First address: 0000000010419B2E second address: 0000000010419B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000F298B4 second address: 0000000000F298BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000F29B2E second address: 0000000000F29B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 5_2_050C6DE6 rdtsc 5_2_050C6DE6