Loading ...

Play interactive tourEdit tour

Analysis Report Editing Remittance copy.exe

Overview

General Information

Sample Name:Editing Remittance copy.exe
Analysis ID:299316
MD5:fe348898b6d84d43a80dfbc48d94c63d
SHA1:0d4e6ca64ef3b7978ef7361ffa72bf58911b8f62
SHA256:77e828d113038623ccfca7e111b60675fd36ea404545f8ce828d7f8505244f0d
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Editing Remittance copy.exe (PID: 5924 cmdline: 'C:\Users\user\Desktop\Editing Remittance copy.exe' MD5: FE348898B6D84D43A80DFBC48D94C63D)
    • Editing Remittance copy.exe (PID: 5844 cmdline: C:\Users\user\Desktop\Editing Remittance copy.exe MD5: FE348898B6D84D43A80DFBC48D94C63D)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 240 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5836 cmdline: /c del 'C:\Users\user\Desktop\Editing Remittance copy.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x67f38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x681b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x94758:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x949d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x73cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xa04f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x737c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x9ffe1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x73dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xa05f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x73f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa076f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x68bca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x953ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x72a3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9f25c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x698c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x960e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x79b47:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa6367:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x7ab4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Editing Remittance copy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Editing Remittance copy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Editing Remittance copy.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Editing Remittance copy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Editing Remittance copy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Editing Remittance copy.exeVirustotal: Detection: 46%Perma Link
          Source: Editing Remittance copy.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505370482.0000000002E80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289924730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505203858.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.290309175.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.290375860.00000000012E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Editing Remittance copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Editing Remittance copy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Editing Remittance copy.exeJoe Sandbox ML: detected
          Source: 1.2.Editing Remittance copy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 4x nop then pop esi1_2_004172F7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi8_2_009F72F7

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /u2e/?BzutV2=3fdHYBNp00JtVX&I6uheLZ0=3/wfS+uPD3FA00y1RkRqzlG6VzJLnSw3168JR3AQRgtlqw2lJnSD2rXmXd6QExESMEsV HTTP/1.1Host: www.pomp.coffeeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2e/?I6uheLZ0=qK/CwyctO8nVFM2iIWxECYBU6YXMkIBrZXkaqHZ8+7hseSdhWDLJ3HAY8sibMw8WSg2B&BzutV2=3fdHYBNp00JtVX HTTP/1.1Host: www.adesignmuseum.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.216 198.54.117.216
          Source: Joe Sandbox ViewASN Name: MEDIATEMPLEUS MEDIATEMPLEUS
          Source: C:\Windows\explorer.exeCode function: 2_2_0723A7A2 getaddrinfo,setsockopt,recv,2_2_0723A7A2
          Source: global trafficHTTP traffic detected: GET /u2e/?BzutV2=3fdHYBNp00JtVX&I6uheLZ0=3/wfS+uPD3FA00y1RkRqzlG6VzJLnSw3168JR3AQRgtlqw2lJnSD2rXmXd6QExESMEsV HTTP/1.1Host: www.pomp.coffeeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u2e/?I6uheLZ0=qK/CwyctO8nVFM2iIWxECYBU6YXMkIBrZXkaqHZ8+7hseSdhWDLJ3HAY8sibMw8WSg2B&BzutV2=3fdHYBNp00JtVX HTTP/1.1Host: www.adesignmuseum.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.pomp.coffee
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 16 Oct 2020 14:14:43 GMTServer: Apache/2.4.39Content-Length: 280Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 32 65 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 33 39 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 64 65 73 69 67 6e 6d 75 73 65 75 6d 2e 6e 65 74 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /u2e/ was not found on this server.</p><hr><address>Apache/2.4.39 Server at www.adesignmuseum.net Port 80</address></body></html>
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.272044011.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000008.00000002.508252887.0000000003E9F000.00000004.00000001.sdmpString found in binary or memory: https://www.kumpanews.com/u2e/?BzutV2=3fdHYBNp00JtVX&amp;I6uheLZ0=Xt2Ut7Kf8teTq30zElhQHQshqcUevA6FBj

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505370482.0000000002E80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289924730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.505203858.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.290309175.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.290375860.00000000012E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Editing Remittance copy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Editing Remittance copy.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.505370482.0000000002E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.505370482.0000000002E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289924730.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289924730.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.505203858.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.505203858.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.290309175.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.290309175.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.290375860.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.290375860.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Editing Remittance copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Editing Remittance copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Editing Remittance copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Editing Remittance copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041A060 NtClose,1_2_0041A060
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041A110 NtAllocateVirtualMemory,1_2_0041A110
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00419F30 NtCreateFile,1_2_00419F30
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00419FE0 NtReadFile,1_2_00419FE0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041A05B NtClose,1_2_0041A05B
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041A10B NtAllocateVirtualMemory,1_2_0041A10B
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00419EEA NtCreateFile,1_2_00419EEA
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00419F2A NtCreateFile,1_2_00419F2A
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00419FE2 NtReadFile,1_2_00419FE2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_017E9910
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E99A0 NtCreateSection,LdrInitializeThunk,1_2_017E99A0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_017E9860
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9840 NtDelayExecution,LdrInitializeThunk,1_2_017E9840
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_017E98F0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9A50 NtCreateFile,LdrInitializeThunk,1_2_017E9A50
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9A20 NtResumeThread,LdrInitializeThunk,1_2_017E9A20
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_017E9A00
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9540 NtReadFile,LdrInitializeThunk,1_2_017E9540
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E95D0 NtClose,LdrInitializeThunk,1_2_017E95D0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9710 NtQueryInformationToken,LdrInitializeThunk,1_2_017E9710
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_017E97A0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9780 NtMapViewOfSection,LdrInitializeThunk,1_2_017E9780
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_017E9660
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_017E96E0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9950 NtQueueApcThread,1_2_017E9950
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E99D0 NtCreateProcessEx,1_2_017E99D0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017EB040 NtSuspendThread,1_2_017EB040
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9820 NtEnumerateKey,1_2_017E9820
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E98A0 NtWriteVirtualMemory,1_2_017E98A0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9B00 NtSetValueKey,1_2_017E9B00
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017EA3B0 NtGetContextThread,1_2_017EA3B0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9A10 NtQuerySection,1_2_017E9A10
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9A80 NtOpenDirectoryObject,1_2_017E9A80
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9560 NtWriteFile,1_2_017E9560
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017EAD30 NtSetContextThread,1_2_017EAD30
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9520 NtWaitForSingleObject,1_2_017E9520
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E95F0 NtQueryInformationFile,1_2_017E95F0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017EA770 NtOpenThread,1_2_017EA770
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9770 NtSetInformationFile,1_2_017E9770
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9760 NtOpenProcess,1_2_017E9760
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9730 NtQueryVirtualMemory,1_2_017E9730
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017EA710 NtOpenProcessToken,1_2_017EA710
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9FE0 NtCreateMutant,1_2_017E9FE0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9670 NtQueryInformationProcess,1_2_017E9670
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9650 NtQueryValueKey,1_2_017E9650
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E9610 NtEnumerateValueKey,1_2_017E9610
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017E96D0 NtCreateKey,1_2_017E96D0
          Source: C:\Windows\explorer.exeCode function: 2_2_07239A52 NtCreateFile,2_2_07239A52
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9710 NtQueryInformationToken,LdrInitializeThunk,8_2_034E9710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9FE0 NtCreateMutant,LdrInitializeThunk,8_2_034E9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9780 NtMapViewOfSection,LdrInitializeThunk,8_2_034E9780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9650 NtQueryValueKey,LdrInitializeThunk,8_2_034E9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9A50 NtCreateFile,LdrInitializeThunk,8_2_034E9A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_034E9660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E96D0 NtCreateKey,LdrInitializeThunk,8_2_034E96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_034E96E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9540 NtReadFile,LdrInitializeThunk,8_2_034E9540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_034E9910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E95D0 NtClose,LdrInitializeThunk,8_2_034E95D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E99A0 NtCreateSection,LdrInitializeThunk,8_2_034E99A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9840 NtDelayExecution,LdrInitializeThunk,8_2_034E9840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_034E9860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9760 NtOpenProcess,8_2_034E9760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9770 NtSetInformationFile,8_2_034E9770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EA770 NtOpenThread,8_2_034EA770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9B00 NtSetValueKey,8_2_034E9B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EA710 NtOpenProcessToken,8_2_034EA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9730 NtQueryVirtualMemory,8_2_034E9730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E97A0 NtUnmapViewOfSection,8_2_034E97A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EA3B0 NtGetContextThread,8_2_034EA3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9670 NtQueryInformationProcess,8_2_034E9670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9A00 NtProtectVirtualMemory,8_2_034E9A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9610 NtEnumerateValueKey,8_2_034E9610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9A10 NtQuerySection,8_2_034E9A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9A20 NtResumeThread,8_2_034E9A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9A80 NtOpenDirectoryObject,8_2_034E9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9950 NtQueueApcThread,8_2_034E9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9560 NtWriteFile,8_2_034E9560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9520 NtWaitForSingleObject,8_2_034E9520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EAD30 NtSetContextThread,8_2_034EAD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E99D0 NtCreateProcessEx,8_2_034E99D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E95F0 NtQueryInformationFile,8_2_034E95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034EB040 NtSuspendThread,8_2_034EB040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E9820 NtEnumerateKey,8_2_034E9820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E98F0 NtReadVirtualMemory,8_2_034E98F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034E98A0 NtWriteVirtualMemory,8_2_034E98A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FA060 NtClose,8_2_009FA060
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FA110 NtAllocateVirtualMemory,8_2_009FA110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009F9FE0 NtReadFile,8_2_009F9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009F9F30 NtCreateFile,8_2_009F9F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FA05B NtClose,8_2_009FA05B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FA10B NtAllocateVirtualMemory,8_2_009FA10B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009F9EEA NtCreateFile,8_2_009F9EEA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009F9FE2 NtReadFile,8_2_009F9FE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009F9F2A NtCreateFile,8_2_009F9F2A
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_00DFB2740_2_00DFB274
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_00DFC2B00_2_00DFC2B0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_00DFB2710_2_00DFB271
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_00DF99A00_2_00DF99A0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C774300_2_04C77430
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C79AE00_2_04C79AE0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C76BE80_2_04C76BE8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C774230_2_04C77423
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C773D80_2_04C773D8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041D8A31_2_0041D8A3
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041E1AE1_2_0041E1AE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041EC931_2_0041EC93
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00409E3B1_2_00409E3B
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041E77F1_2_0041E77F
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C41201_2_017C4120
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AF9001_2_017AF900
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018720A81_2_018720A8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CA8301_2_017CA830
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018728EC1_2_018728EC
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018610021_2_01861002
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0187E8241_2_0187E824
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017D20A01_2_017D20A0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017BB0901_2_017BB090
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CAB401_2_017CAB40
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0186DBD21_2_0186DBD2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018603DA1_2_018603DA
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018523E31_2_018523E3
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CA3091_2_017CA309
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017DABD81_2_017DABD8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01872B281_2_01872B28
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0184CB4F1_2_0184CB4F
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017DEBB01_2_017DEBB0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017D138B1_2_017D138B
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018722AE1_2_018722AE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CB2361_2_017CB236
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01864AEF1_2_01864AEF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0185FA2B1_2_0185FA2B
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01862D821_2_01862D82
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017A0D201_2_017A0D20
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018725DD1_2_018725DD
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01872D071_2_01872D07
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017BD5E01_2_017BD5E0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01871D551_2_01871D55
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017D25811_2_017D2581
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CB4771_2_017CB477
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018644961_2_01864496
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017B841F1_2_017B841F
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0186D4661_2_0186D466
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0187DFCE1_2_0187DFCE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01871FF11_2_01871FF1
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C6E301_2_017C6E30
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_01872EF71_2_01872EF7
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0186D6161_2_0186D616
          Source: C:\Windows\explorer.exeCode function: 2_2_07239A522_2_07239A52
          Source: C:\Windows\explorer.exeCode function: 2_2_07234B222_2_07234B22
          Source: C:\Windows\explorer.exeCode function: 2_2_07234B1F2_2_07234B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_072371522_2_07237152
          Source: C:\Windows\explorer.exeCode function: 2_2_0723CA0C2_2_0723CA0C
          Source: C:\Windows\explorer.exeCode function: 2_2_072300692_2_07230069
          Source: C:\Windows\explorer.exeCode function: 2_2_072300722_2_07230072
          Source: C:\Windows\explorer.exeCode function: 2_2_072388822_2_07238882
          Source: C:\Windows\explorer.exeCode function: 2_2_07231CE92_2_07231CE9
          Source: C:\Windows\explorer.exeCode function: 2_2_07231CF22_2_07231CF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034DEBB08_2_034DEBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C6E308_2_034C6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03571D558_2_03571D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034AF9008_2_034AF900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034A0D208_2_034A0D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034C41208_2_034C4120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_035610028_2_03561002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034B841F8_2_034B841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034BB0908_2_034BB090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FE1AE8_2_009FE1AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FEC938_2_009FEC93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009E2D908_2_009E2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009E2D878_2_009E2D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009E9E3B8_2_009E9E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009E9E408_2_009E9E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009E2FB08_2_009E2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FE77F8_2_009FE77F
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: String function: 017AB150 appears 136 times
          Source: Editing Remittance copy.exeBinary or memory string: OriginalFilename vs Editing Remittance copy.exe
          Source: Editing Remittance copy.exe, 00000000.00000000.237541950.0000000000352000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGgwP.exe6 vs Editing Remittance copy.exe
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Editing Remittance copy.exe
          Source: Editing Remittance copy.exeBinary or memory string: OriginalFilename vs Editing Remittance copy.exe
          Source: Editing Remittance copy.exe, 00000001.00000002.291585635.0000000001A2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Editing Remittance copy.exe
          Source: Editing Remittance copy.exe, 00000001.00000002.289964177.0000000000CA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGgwP.exe6 vs Editing Remittance copy.exe
          Source: Editing Remittance copy.exeBinary or memory string: OriginalFilenameGgwP.exe6 vs Editing Remittance copy.exe
          Source: 00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.504573534.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.246311731.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.505370482.0000000002E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.505370482.0000000002E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289924730.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289924730.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.505203858.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.505203858.0000000002BD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.290309175.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.290309175.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.290375860.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.290375860.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Editing Remittance copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Editing Remittance copy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Editing Remittance copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Editing Remittance copy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Editing Remittance copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Editing Remittance copy.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4656:120:WilError_01
          Source: Editing Remittance copy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Editing Remittance copy.exeVirustotal: Detection: 46%
          Source: Editing Remittance copy.exeReversingLabs: Detection: 33%
          Source: unknownProcess created: C:\Users\user\Desktop\Editing Remittance copy.exe 'C:\Users\user\Desktop\Editing Remittance copy.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Editing Remittance copy.exe C:\Users\user\Desktop\Editing Remittance copy.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Editing Remittance copy.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess created: C:\Users\user\Desktop\Editing Remittance copy.exe C:\Users\user\Desktop\Editing Remittance copy.exeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Editing Remittance copy.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Editing Remittance copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Editing Remittance copy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.518424947.0000000006FE0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Editing Remittance copy.exe, 00000001.00000002.291242529.000000000189F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.506371322.000000000359F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Editing Remittance copy.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.518424947.0000000006FE0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Editing Remittance copy.exe, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Editing Remittance copy.exe.350000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Editing Remittance copy.exe.350000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.Editing Remittance copy.exe.ca0000.1.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.Editing Remittance copy.exe.ca0000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C78500 pushad ; ret 0_2_04C78751
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C7741D push B88400CCh; ret 0_2_04C77422
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C725A8 push ebx; retn 0004h0_2_04C725BA
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C727C3 push es; ret 0_2_04C727CA
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C727C1 push es; ret 0_2_04C727C2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C727DB push es; ret 0_2_04C727E2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C727D9 push es; ret 0_2_04C727DA
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C737B8 push ebx; retn 5504h0_2_04C73896
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C732C7 push esp; retn 0004h0_2_04C732D2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C772AE push 8BF04589h; retf 0_2_04C772B3
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 0_2_04C7AD7B push E808568Dh; iretd 0_2_04C7AD4D
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00410854 push FFFFFFFDh; iretd 1_2_00410856
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041D0D2 push eax; ret 1_2_0041D0D8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041D0DB push eax; ret 1_2_0041D142
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041D085 push eax; ret 1_2_0041D0D8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041D13C push eax; ret 1_2_0041D142
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041E186 push dword ptr [B2588A5Eh]; ret 1_2_0041E1A6
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0040E2C3 push ecx; retf 1_2_0040E2C6
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00408286 push ds; retf 1_2_0040828A
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00416B0F push edx; ret 1_2_00416B1E
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0041A796 push eax; retf 1_2_0041A79C
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017FD0D1 push ecx; ret 1_2_017FD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_034FD0D1 push ecx; ret 8_2_034FD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FD085 push eax; ret 8_2_009FD0D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FD0DB push eax; ret 8_2_009FD142
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FD0D2 push eax; ret 8_2_009FD0D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009F0854 push FFFFFFFDh; iretd 8_2_009F0856
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FE186 push dword ptr [B2588A5Eh]; ret 8_2_009FE1A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FE109 push ss; retf 8_2_009FE113
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009FD13C push eax; ret 8_2_009FD142
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_009E8286 push ds; retf 8_2_009E828A
          Source: initial sampleStatic PE information: section name: .text entropy: 7.67316702344

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE2
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245868876.000000000278B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Editing Remittance copy.exe PID: 5924, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000009E98E4 second address: 00000000009E98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000009E9B5E second address: 00000000009E9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exe TID: 5948Thread sleep time: -51232s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exe TID: 5936Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5692Thread sleep count: 37 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5692Thread sleep time: -74000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6068Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.268847408.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.268847408.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.267752033.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000002.00000000.252307293.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.276815671.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000002.00000000.248822704.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.276815671.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BD
          Source: explorer.exe, 00000002.00000000.268983820.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.267752033.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.257963207.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.267752033.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.268983820.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.276815671.000000000DC20000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B|
          Source: Editing Remittance copy.exe, 00000000.00000002.245779977.0000000002741000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.267752033.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AB171 mov eax, dword ptr fs:[00000030h]1_2_017AB171
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AB171 mov eax, dword ptr fs:[00000030h]1_2_017AB171
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AC962 mov eax, dword ptr fs:[00000030h]1_2_017AC962
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018649A4 mov eax, dword ptr fs:[00000030h]1_2_018649A4
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018649A4 mov eax, dword ptr fs:[00000030h]1_2_018649A4
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018649A4 mov eax, dword ptr fs:[00000030h]1_2_018649A4
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018649A4 mov eax, dword ptr fs:[00000030h]1_2_018649A4
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018269A6 mov eax, dword ptr fs:[00000030h]1_2_018269A6
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CB944 mov eax, dword ptr fs:[00000030h]1_2_017CB944
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017CB944 mov eax, dword ptr fs:[00000030h]1_2_017CB944
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018251BE mov eax, dword ptr fs:[00000030h]1_2_018251BE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018251BE mov eax, dword ptr fs:[00000030h]1_2_018251BE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018251BE mov eax, dword ptr fs:[00000030h]1_2_018251BE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018251BE mov eax, dword ptr fs:[00000030h]1_2_018251BE
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017D513A mov eax, dword ptr fs:[00000030h]1_2_017D513A
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017D513A mov eax, dword ptr fs:[00000030h]1_2_017D513A
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C4120 mov eax, dword ptr fs:[00000030h]1_2_017C4120
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C4120 mov eax, dword ptr fs:[00000030h]1_2_017C4120
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C4120 mov eax, dword ptr fs:[00000030h]1_2_017C4120
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C4120 mov eax, dword ptr fs:[00000030h]1_2_017C4120
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C4120 mov ecx, dword ptr fs:[00000030h]1_2_017C4120
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_018341E8 mov eax, dword ptr fs:[00000030h]1_2_018341E8
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017A9100 mov eax, dword ptr fs:[00000030h]1_2_017A9100
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017A9100 mov eax, dword ptr fs:[00000030h]1_2_017A9100
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017A9100 mov eax, dword ptr fs:[00000030h]1_2_017A9100
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AB1E1 mov eax, dword ptr fs:[00000030h]1_2_017AB1E1
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AB1E1 mov eax, dword ptr fs:[00000030h]1_2_017AB1E1
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017AB1E1 mov eax, dword ptr fs:[00000030h]1_2_017AB1E1
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov eax, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov eax, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov eax, dword ptr fs:[00000030h]1_2_017C99BF
          Source: C:\Users\user\Desktop\Editing Remittance copy.exeCode function: 1_2_017C99BF mov ecx, dword ptr fs:[00000030h]