Loading ...

Play interactive tourEdit tour

Analysis Report 010-116.exe

Overview

General Information

Sample Name:010-116.exe
Analysis ID:299592
MD5:4b55cb7e5402691815a7b61d3c2a1ff8
SHA1:b36bfb26a435b044445d9ce3bab91b3bebf5e967
SHA256:b791ce91936d65f90d9ca761c1999ea8330b66d3c3aede92564395d4778b5955
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 010-116.exe (PID: 6568 cmdline: 'C:\Users\user\Desktop\010-116.exe' MD5: 4B55CB7E5402691815A7B61D3C2A1FF8)
    • AddInProcess32.exe (PID: 3528 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • WerFault.exe (PID: 572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 172 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xa3ce:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xa648:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x37a40:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x37cba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1616b:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x437dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15c57:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x432c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1626d:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x438df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x163e5:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x43a57:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xb060:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x386d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x14ed2:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x42544:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xbd59:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x393cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1be0d:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x4947f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ce10:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18eef:$sqlite3step: 68 34 1C 7B E1
    • 0x19002:$sqlite3step: 68 34 1C 7B E1
    • 0x46561:$sqlite3step: 68 34 1C 7B E1
    • 0x46674:$sqlite3step: 68 34 1C 7B E1
    • 0x18f1e:$sqlite3text: 68 38 2A 90 C5
    • 0x19043:$sqlite3text: 68 38 2A 90 C5
    • 0x46590:$sqlite3text: 68 38 2A 90 C5
    • 0x466b5:$sqlite3text: 68 38 2A 90 C5
    • 0x18f31:$sqlite3blob: 68 53 D8 7F 8C
    • 0x19059:$sqlite3blob: 68 53 D8 7F 8C
    • 0x465a3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x466cb:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x38b9:$sqlite3step: 68 34 1C 7B E1
      • 0x39cc:$sqlite3step: 68 34 1C 7B E1
      • 0x38e8:$sqlite3text: 68 38 2A 90 C5
      • 0x3a0d:$sqlite3text: 68 38 2A 90 C5
      • 0x38fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x3a23:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.AddInProcess32.exe.3d0000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.2.AddInProcess32.exe.3d0000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.2.AddInProcess32.exe.3d0000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 010-116.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: 010-116.exeVirustotal: Detection: 45%Perma Link
        Source: 010-116.exeReversingLabs: Detection: 47%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378538318.0000000006557000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378610939.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.376958805.000000000654E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378691298.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.379668402.000000000656B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: 010-116.exeJoe Sandbox ML: detected
        Source: 15.2.AddInProcess32.exe.3d0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://s2.symcb.com0
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://sv.symcd.com0&
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378538318.0000000006557000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378610939.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.376958805.000000000654E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378691298.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.379668402.000000000656B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000003.378538318.0000000006557000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000003.378610939.0000000006558000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000003.376958805.000000000654E000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000003.378691298.0000000006558000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000000.00000003.379668402.000000000656B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        .NET source code contains very large array initializationsShow sources
        Source: 010-116.exe, u0033wu002fwu00299u003f4cxu002571n_u007e8iou002b2u002d5/u0037xu002fu005b5ugu003e30tu002au003a4gj.csLarge array initialization: 0e#r^83f?{4vw!19d[%6g5q}y: array initializer size 220176
        Source: 0.0.010-116.exe.6d0000.0.unpack, u0033wu002fwu00299u003f4cxu002571n_u007e8iou002b2u002d5/u0037xu002fu005b5ugu003e30tu002au003a4gj.csLarge array initialization: 0e#r^83f?{4vw!19d[%6g5q}y: array initializer size 220176
        Source: 0.2.010-116.exe.6d0000.0.unpack, u0033wu002fwu00299u003f4cxu002571n_u007e8iou002b2u002d5/u0037xu002fu005b5ugu003e30tu002au003a4gj.csLarge array initialization: 0e#r^83f?{4vw!19d[%6g5q}y: array initializer size 220176
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0106F05C CreateProcessAsUserW,0_2_0106F05C
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_00B501980_2_00B50198
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_00B501880_2_00B50188
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0106E4A80_2_0106E4A8
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_01069CC80_2_01069CC8
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_01069CD80_2_01069CD8
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 15_2_0020205015_2_00202050
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
        Source: C:\Users\user\Desktop\010-116.exeCode function: String function: 01062CC0 appears 53 times
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 172
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerunfileinmemoryLib.dllF vs 010-116.exe
        Source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 010-116.exe
        Source: 010-116.exe, 00000000.00000002.397028118.0000000003ADD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamef.dll$ vs 010-116.exe
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
        Source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.378538318.0000000006557000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.378610939.0000000006558000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.376958805.000000000654E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.378691298.0000000006558000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000000.00000003.379668402.000000000656B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 010-116.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 010-116.exe, tu002f59zu002byu007e23ju002a_1q6mu007du003d8pnu005b/hu007e53qu0040u003f0k8mu0025ru002c6.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.010-116.exe.6d0000.0.unpack, tu002f59zu002byu007e23ju002a_1q6mu007du003d8pnu005b/hu007e53qu0040u003f0k8mu0025ru002c6.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.010-116.exe.6d0000.0.unpack, tu002f59zu002byu007e23ju002a_1q6mu007du003d8pnu005b/hu007e53qu0040u003f0k8mu0025ru002c6.csCryptographic APIs: 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@4/8@0/0
        Source: C:\Users\user\Desktop\010-116.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\010-116.exe.logJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3528
        Source: C:\Users\user\Desktop\010-116.exeFile created: C:\Users\user\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813Jump to behavior
        Source: 010-116.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\010-116.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: 010-116.exeVirustotal: Detection: 45%
        Source: 010-116.exeReversingLabs: Detection: 47%
        Source: C:\Users\user\Desktop\010-116.exeFile read: C:\Users\user\Desktop\010-116.exe:Zone.IdentifierJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\010-116.exe 'C:\Users\user\Desktop\010-116.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 172
        Source: C:\Users\user\Desktop\010-116.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: 010-116.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: 010-116.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
        Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000012.00000003.393571833.0000000004D31000.00000004.00000001.sdmp
        Source: Binary string: clrjit.pdb source: 010-116.exe, 00000000.00000003.376723327.000000000681B000.00000004.00000001.sdmp
        Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000012.00000003.393571833.0000000004D31000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: WerFault.exe, 00000012.00000003.393571833.0000000004D31000.00000004.00000001.sdmp
        Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000002.411777917.0000000000202000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
        Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000012.00000003.393571833.0000000004D31000.00000004.00000001.sdmp
        Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: 010-116.exe, 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, Fdf.dll.0.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 010-116.exe, ou003a4u002d8pcu003e79r_u003d1p5tu0028qu005d0u003f6u/m_12lu0025u002b3vcu002c67ju007dru003a54hu003du00289g8tu005eu007b0tgu00216u002d2.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.010-116.exe.6d0000.0.unpack, ou003a4u002d8pcu003e79r_u003d1p5tu0028qu005d0u003f6u/m_12lu0025u002b3vcu002c67ju007dru003a54hu003du00289g8tu005eu007b0tgu00216u002d2.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.010-116.exe.6d0000.0.unpack, ou003a4u002d8pcu003e79r_u003d1p5tu0028qu005d0u003f6u/m_12lu0025u002b3vcu002c67ju007dru003a54hu003du00289g8tu005eu007b0tgu00216u002d2.cs.Net Code: .cctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: Fdf.dll.0.drStatic PE information: section name: .didat
        Source: Fdf.dll.0.drStatic PE information: section name: .00cfg
        Source: AgileDotNetRT.dll.0.drStatic PE information: section name: .didat
        Source: AgileDotNetRT.dll.0.drStatic PE information: section name: .00cfg
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0071027D push cs; ret 0_2_0071027E
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070F36C push cs; ret 0_2_0070F36D
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0071065A push cs; ret 0_2_0071065B
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070E846 push cs; ret 0_2_0070E847
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070F247 push 6F156B82h; retf 0_2_0070F250
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070F73A push cs; ret 0_2_0070F73B
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070F21C push esi; retf 0_2_0070F23A
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070EC03 push cs; ret 0_2_0070EC04
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070FAF0 push cs; ret 0_2_0070FAF1
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_007109FA push cs; ret 0_2_007109FB
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070DCE0 push cs; ret 0_2_0070DCE1
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070E0D9 push cs; ret 0_2_0070E0DA
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070DFC1 push cs; ret 0_2_0070DFC2
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070FEB8 push cs; ret 0_2_0070FEB9
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_00710DA5 push cs; ret 0_2_00710DA6
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070EF91 push cs; ret 0_2_0070EF92
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070EA98 push ecx; ret 0_2_0070EA99
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_0070E488 push cs; ret 0_2_0070E489
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_01062C60 pushad ; ret 0_2_01062CB9
        Source: C:\Users\user\Desktop\010-116.exeCode function: 0_2_010619C0 push eax; retf 0_2_010619C9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.81866043389
        Source: C:\Users\user\Desktop\010-116.exeFile created: C:\Users\user\AppData\Local\Temp\c7ebace9-d4f3-4576-b8fe-2fe996e42813\Fdf.dllJump to dropped file
        Source: C:\Users\user\Desktop\010-116.exeFile created: C:\Users\user\AppData\Local\Temp\b35bc50e-fc56-4239-a7d0-bb79118b31c9\AgileDotNetRT.dllJump to dropped file
        Source: C:\Users\user\Desktop\010-116.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file
        Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\010-116.exeRDTSC instruction interceptor: First address: 000000006F6D1D36 second address: 000000006F6D2A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6F6E53C0h], eax 0x00000020 mov dword ptr [6F6E53C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007F9984D4F11Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007F9984D4F156h 0x00000037 rdtsc
        Source: C:\Users\user\Desktop\010-116.exeRDTSC instruction interceptor: First address: 000000006F6D2A97 second address: 000000006F6D2A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 mov eax, dword ptr [ebp-08h] 0x0000000b sub eax, dword ptr [ebp-14h] 0x0000000e mov ecx, dword ptr [ebp-04h] 0x00000011 sbb ecx, dword ptr [ebp-10h] 0x00000014 mov dword ptr [ebp-5Ch], eax 0x00000017 mov dword ptr [ebp-58h], ecx 0x0000001a mov edx, dword ptr [ebp-58h] 0x0000001d cmp edx, dword ptr [6F6E53C4h] 0x00000023 jl 00007F9984DB4C45h 0x00000025 jnle 00007F9984DB4C7Dh 0x00000027 jmp 00007F9984DB4C1Dh 0x00000029 mov eax, dword ptr [ebp-0Ch] 0x0000002c add eax, 01h 0x0000002f mov dword ptr [ebp-0Ch], eax 0x00000032 mov eax, dword ptr [ebp-0Ch] 0x00000035 cmp eax, dword ptr [ebp+08h] 0x00000038 jnl 00007F9984DB4CB6h 0x0000003a rdtsc
        Source: C:\Users\user\Desktop\010-116.exeRDTSC instruction interceptor: First address: 000000006FF51D36 second address: 000000006FF52A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [6FF653C0h], eax 0x00000020 mov dword ptr [6FF653C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007F9984D4F11Bh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007F9984D4F156h 0x00000037 rdtsc
        Source: C:\Users\user\Desktop\010-116.exeRDTSC instruction interceptor: First address: 000000006FF52A97 second address: 000000006FF52A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-08h], eax 0x00000005 mov dword ptr [ebp-04h], edx 0x00000008 mov eax, dword ptr [ebp-08h] 0x0000000b sub eax, dword ptr [ebp-14h] 0x0000000e mov ecx, dword ptr [ebp-04h] 0x00000011 sbb ecx, dword ptr [ebp-10h] 0x00000014 mov dword ptr [ebp-5Ch], eax 0x00000017 mov dword ptr [ebp-58h], ecx 0x0000001a mov edx, dword ptr [ebp-58h] 0x0000001d cmp edx, dword ptr [6FF653C4h] 0x00000023 jl 00007F9984DB4C45h 0x00000025 jnle 00007F9984DB4C7Dh 0x00000027 jmp 00007F9984DB4C1Dh 0x00000029 mov eax, dword ptr [ebp-0Ch] 0x0000002c add eax, 01h 0x0000002f mov dword ptr [ebp-0Ch], eax 0x00000032 mov eax, dword ptr [ebp-0Ch] 0x00000035 cmp eax, dword ptr [ebp+08h] 0x00000038 jnl 00007F9984DB4CB6h 0x0000003a rdtsc
        Source: C:\Users\user\Desktop\010-116.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exeWindow / User API: threadDelayed 515Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exe TID: 6684Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\010-116.exe TID: 6668Thread sleep count: 178 > 30Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exe TID: 6940Thread sleep count: 515 > 30Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exe TID: 6940Thread sleep count: 36 > 30Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exe TID: 6628Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
        Source: WerFault.exe, 00000012.00000002.411029642.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: WerFault.exe, 00000012.00000002.411029642.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: WerFault.exe, 00000012.00000002.411029642.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: WerFault.exe, 00000012.00000002.411029642.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\010-116.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\010-116.exeMemory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 3D0000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\010-116.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 3D0000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\010-116.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 3D0000Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 3D1000Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exeMemory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 512008Jump to behavior
        Source: C:\Users\user\Desktop\010-116.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeQueries volume information: C:\Users\user\Desktop\010-116.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\010-116.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378538318.0000000006557000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378610939.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.376958805.000000000654E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378691298.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.379668402.000000000656B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000000.00000002.397177164.0000000003BF9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.384915087.00000000064E4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378538318.0000000006557000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378610939.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397239474.0000000003C94000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.376958805.000000000654E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.411832298.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.397140093.0000000003BAF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.378691298.0000000006558000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.379668402.000000000656B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 15.2.AddInProcess32.exe.3d0000.1.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1Windows Management InstrumentationValid Accounts1Valid Accounts1Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobDLL Side-Loading1Access Token Manipulation1Valid Accounts1LSASS MemoryVirtualization/Sandbox Evasion4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Process Injection311Modify Registry1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Access Token Manipulation1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion4LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify Tools1Cached Domain CredentialsSystem Information Discovery122VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection311DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDeobfuscate/Decode Files or Information11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Obfuscated Files or Information3/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Software Packing13Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
        Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronDLL Side-Loading1Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.