Source: Yara match | File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: KYC DEBIT 11202020.exe | Joe Sandbox ML: detected |
Source: Yara match | File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: unknown | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788 |
Source: KYC DEBIT 11202020.exe, 00000000.00000002.300296289.0000000005740000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameJnMryRIPGtnuqyyG.bounce.exe4 vs KYC DEBIT 11202020.exe |
Source: KYC DEBIT 11202020.exe, 00000000.00000002.300792152.00000000060B0000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs KYC DEBIT 11202020.exe |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: sfc.dll |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: phoneinfo.dll |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: ext-ms-win-xblauth-console-l1.dll |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: ext-ms-win-xblauth-console-l1.dll |
Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: KYC DEBIT 11202020.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal60.troj.winEXE@33502/4@0/1 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4168 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERE917.tmp |
Source: KYC DEBIT 11202020.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Windows\SysWOW64\WerFault.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts |
Source: unknown | Process created: C:\Users\user\Desktop\KYC DEBIT 11202020.exe 'C:\Users\user\Desktop\KYC DEBIT 11202020.exe' |
Source: unknown | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 7788 |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 | Jump to behavior |
Source: KYC DEBIT 11202020.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: KYC DEBIT 11202020.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: mscorlib.pdb source: WERE917.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr |
Source: | Binary string: System.Drawing.pdb source: WERE917.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdb source: WERE917.tmp.dmp.3.dr |
Source: | Binary string: mscorlib.ni.pdbRSDS source: WERE917.tmp.dmp.3.dr |
Source: | Binary string: System.ni.pdb source: WERE917.tmp.dmp.3.dr |
Source: | Binary string: System.pdb source: WERE917.tmp.dmp.3.dr |
Source: initial sample | Static PE information: section name: .text entropy: 7.86097375794 |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | File opened: PhysicalDrive0 |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information queried: ProcessInformation |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Process token adjusted: Debug |
Source: C:\Windows\SysWOW64\WerFault.exe | Process token adjusted: Debug |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Memory allocated: page read and write | page guard |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Queries volume information: C:\Users\user\Desktop\KYC DEBIT 11202020.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\KYC DEBIT 11202020.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: Yara match | File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.296816470.000000000112F000.00000004.00000020.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.233802022.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.299098805.00000000049C7000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000003.235477149.000000000112F000.00000004.00000001.sdmp, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.