Loading ...

Play interactive tourEdit tour

Analysis Report 65BV6gbGFl.exe

Overview

General Information

Sample Name:65BV6gbGFl.exe
Analysis ID:339315
MD5:deed11e2b4b23dbe0c9ef99b5390bd6f
SHA1:158662003b5e63c1419267d5e8b0d4ce79e72081
SHA256:326090842ee6d692e02ae131a2003658939f60e79bceb7bad983cfe16400062f
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 65BV6gbGFl.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\65BV6gbGFl.exe' MD5: DEED11E2B4B23DBE0C9EF99B5390BD6F)
    • 65BV6gbGFl.exe (PID: 3028 cmdline: C:\Users\user\Desktop\65BV6gbGFl.exe MD5: DEED11E2B4B23DBE0C9EF99B5390BD6F)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6952 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 7144 cmdline: /c del 'C:\Users\user\Desktop\65BV6gbGFl.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d57f", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1d683", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1c193", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa2fc2b8a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d3f33", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120fa", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "valentinakasu.com", "soyelmatador.com", "collaborativeprosperity.com", "power8brokers.com", "nexus-ink.com", "manpasandmeatmarket.com", "the-ethical-forums.today", "maryannpark.com", "bikininbodymommy.com", "pxwuo.com", "bigbangmerch.com", "okaysinger.com", "shopcarpe.com", "rainbowhillsswimclub.com", "crifinmarket.com", "ebl-play.net", "forceandsonsequipment.com", "viagraytqwi.com", "latashashop.com", "suffocatinglymundanepodcast.com", "metanoria.com", "camera-kento.com", "hotsaledeals.store", "outlawgospelshow.com", "saisaharashipping.com", "buyiprod.com", "pestigenix.com", "opendesignpodcast.com", "patentml.com", "covaxbiotech.com", "youjar.com", "domvy.xyz", "remodelmemphis.com", "milehighdistributionllc.com", "merchandisingpremium.com", "fallguysmovile.com", "actuelburo.xyz", "nedlebow.com", "shopcryptocurrency247.com", "riellymoore.com", "affinitymotorsales.com", "akmh.pro", "hsrrxs.com", "atlanticdentallab.com", "sagarpantry.com", "murinemodel.com", "karybeautycare.com", "boshangkeji.com", "dailynewstodays.com", "oregonpyramids.com", "dsjmzyz.com", "gidagozlemevi.com", "tribelessofficial.com", "cyberonica.com", "onehourcheckout.com", "tenaflypedatrics.com", "nbworldfire.com", "setyourhead.com", "manticore-habitat.com", "iqftomatoes.com", "fejsearesete.com", "gregsgradeaappliancerepair.com", "sfmfgco.com", "directprnews.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.thesiromiel.com/kgw/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.65BV6gbGFl.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.65BV6gbGFl.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.65BV6gbGFl.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        1.2.65BV6gbGFl.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.65BV6gbGFl.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: 65BV6gbGFl.exeAvira: detected
          Found malware configurationShow sources
          Source: 1.2.65BV6gbGFl.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbc", "KEY1_OFFSET 0x1d57f", "CONFIG SIZE : 0xc7", "CONFIG OFFSET 0x1d683", "URL SIZE : 25", "searching string pattern", "strings_offset 0x1c193", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa2fc2b8a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d3f33", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120fa", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01445", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: 65BV6gbGFl.exeVirustotal: Detection: 34%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.705655666.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1008715043.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.705409685.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704845326.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.65BV6gbGFl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.65BV6gbGFl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 65BV6gbGFl.exeJoe Sandbox ML: detected
          Source: 1.2.65BV6gbGFl.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 65BV6gbGFl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 65BV6gbGFl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.677864614.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 65BV6gbGFl.exe, 00000001.00000002.705832250.00000000012CF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1009183411.000000000394F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 65BV6gbGFl.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.677864614.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 4x nop then pop esi1_2_00417295
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 4x nop then pop esi1_2_004172A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi6_2_00DB7295
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi6_2_00DB72A5

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.186.238.101:80
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /kgw/?tTrL=Fpgl&D81dO=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864URq+F/upv HTTP/1.1Host: www.fallguysmovile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?tTrL=Fpgl&D81dO=KjbuJJdeVq7diM0Fg7aQkrQXEwOw5P1EeEOzKgXGIrFUAWFa+z+/Ho4yN3tuV7ElJqtC HTTP/1.1Host: www.pxwuo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?D81dO=3dsCTSsKJfcfLyYHdfjcimIAevlOxP45YAOPNmiGb3RckDOY5KdZ2EMbApwY76ndqYux&tTrL=Fpgl HTTP/1.1Host: www.outlawgospelshow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?tTrL=Fpgl&D81dO=v5Yiuhvr0F6MYz3e4dEgNYCJUmrmKekWwpiHMAfHDUslibx/6TCs/ka/UcoIa2V5gzCm HTTP/1.1Host: www.karybeautycare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.186.238.101 35.186.238.101
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /kgw/?tTrL=Fpgl&D81dO=Q8j3zo2PyWwTAT2GiUT3xIethN2qaDDEMDPTiTcyve6+EbM4cYnHuFUs864URq+F/upv HTTP/1.1Host: www.fallguysmovile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?tTrL=Fpgl&D81dO=KjbuJJdeVq7diM0Fg7aQkrQXEwOw5P1EeEOzKgXGIrFUAWFa+z+/Ho4yN3tuV7ElJqtC HTTP/1.1Host: www.pxwuo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?D81dO=3dsCTSsKJfcfLyYHdfjcimIAevlOxP45YAOPNmiGb3RckDOY5KdZ2EMbApwY76ndqYux&tTrL=Fpgl HTTP/1.1Host: www.outlawgospelshow.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?tTrL=Fpgl&D81dO=v5Yiuhvr0F6MYz3e4dEgNYCJUmrmKekWwpiHMAfHDUslibx/6TCs/ka/UcoIa2V5gzCm HTTP/1.1Host: www.karybeautycare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fallguysmovile.com
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 65BV6gbGFl.exe, 00000000.00000002.666713130.0000000002FD1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.666700748.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.688345208.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 65BV6gbGFl.exe, 00000000.00000002.666363002.00000000013EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.705655666.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1008715043.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.705409685.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704845326.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.65BV6gbGFl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.65BV6gbGFl.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.705655666.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.705655666.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1008715043.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1008715043.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.705409685.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.705409685.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.704845326.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.704845326.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.65BV6gbGFl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.65BV6gbGFl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.65BV6gbGFl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.65BV6gbGFl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419D50 NtCreateFile,1_2_00419D50
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419E00 NtReadFile,1_2_00419E00
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419E80 NtClose,1_2_00419E80
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419F30 NtAllocateVirtualMemory,1_2_00419F30
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419D4B NtCreateFile,1_2_00419D4B
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419DFE NtReadFile,1_2_00419DFE
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419DA4 NtCreateFile,1_2_00419DA4
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419E7A NtClose,1_2_00419E7A
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00419F2B NtAllocateVirtualMemory,1_2_00419F2B
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01219910
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012199A0 NtCreateSection,LdrInitializeThunk,1_2_012199A0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01219860
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219840 NtDelayExecution,LdrInitializeThunk,1_2_01219840
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012198F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_012198F0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219A20 NtResumeThread,LdrInitializeThunk,1_2_01219A20
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01219A00
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219A50 NtCreateFile,LdrInitializeThunk,1_2_01219A50
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219540 NtReadFile,LdrInitializeThunk,1_2_01219540
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012195D0 NtClose,LdrInitializeThunk,1_2_012195D0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219710 NtQueryInformationToken,LdrInitializeThunk,1_2_01219710
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012197A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_012197A0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219780 NtMapViewOfSection,LdrInitializeThunk,1_2_01219780
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01219660
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012196E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_012196E0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219950 NtQueueApcThread,1_2_01219950
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012199D0 NtCreateProcessEx,1_2_012199D0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219820 NtEnumerateKey,1_2_01219820
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0121B040 NtSuspendThread,1_2_0121B040
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012198A0 NtWriteVirtualMemory,1_2_012198A0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219B00 NtSetValueKey,1_2_01219B00
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0121A3B0 NtGetContextThread,1_2_0121A3B0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219A10 NtQuerySection,1_2_01219A10
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219A80 NtOpenDirectoryObject,1_2_01219A80
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219520 NtWaitForSingleObject,1_2_01219520
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0121AD30 NtSetContextThread,1_2_0121AD30
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219560 NtWriteFile,1_2_01219560
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012195F0 NtQueryInformationFile,1_2_012195F0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219730 NtQueryVirtualMemory,1_2_01219730
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0121A710 NtOpenProcessToken,1_2_0121A710
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219760 NtOpenProcess,1_2_01219760
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0121A770 NtOpenThread,1_2_0121A770
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219770 NtSetInformationFile,1_2_01219770
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219FE0 NtCreateMutant,1_2_01219FE0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219610 NtEnumerateValueKey,1_2_01219610
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219670 NtQueryInformationProcess,1_2_01219670
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_01219650 NtQueryValueKey,1_2_01219650
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012196D0 NtCreateKey,1_2_012196D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899A50 NtCreateFile,LdrInitializeThunk,6_2_03899A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038999A0 NtCreateSection,LdrInitializeThunk,6_2_038999A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_03899910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899840 NtDelayExecution,LdrInitializeThunk,6_2_03899840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899860 NtQuerySystemInformation,LdrInitializeThunk,6_2_03899860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899780 NtMapViewOfSection,LdrInitializeThunk,6_2_03899780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899FE0 NtCreateMutant,LdrInitializeThunk,6_2_03899FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899710 NtQueryInformationToken,LdrInitializeThunk,6_2_03899710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038996D0 NtCreateKey,LdrInitializeThunk,6_2_038996D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038996E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_038996E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899650 NtQueryValueKey,LdrInitializeThunk,6_2_03899650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03899660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038995D0 NtClose,LdrInitializeThunk,6_2_038995D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899540 NtReadFile,LdrInitializeThunk,6_2_03899540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0389A3B0 NtGetContextThread,6_2_0389A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899B00 NtSetValueKey,6_2_03899B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899A80 NtOpenDirectoryObject,6_2_03899A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899A00 NtProtectVirtualMemory,6_2_03899A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899A10 NtQuerySection,6_2_03899A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899A20 NtResumeThread,6_2_03899A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038999D0 NtCreateProcessEx,6_2_038999D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899950 NtQueueApcThread,6_2_03899950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038998A0 NtWriteVirtualMemory,6_2_038998A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038998F0 NtReadVirtualMemory,6_2_038998F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899820 NtEnumerateKey,6_2_03899820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0389B040 NtSuspendThread,6_2_0389B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038997A0 NtUnmapViewOfSection,6_2_038997A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0389A710 NtOpenProcessToken,6_2_0389A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899730 NtQueryVirtualMemory,6_2_03899730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899760 NtOpenProcess,6_2_03899760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0389A770 NtOpenThread,6_2_0389A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899770 NtSetInformationFile,6_2_03899770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899610 NtEnumerateValueKey,6_2_03899610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899670 NtQueryInformationProcess,6_2_03899670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038995F0 NtQueryInformationFile,6_2_038995F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899520 NtWaitForSingleObject,6_2_03899520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0389AD30 NtSetContextThread,6_2_0389AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03899560 NtWriteFile,6_2_03899560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9D50 NtCreateFile,6_2_00DB9D50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9E80 NtClose,6_2_00DB9E80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9E00 NtReadFile,6_2_00DB9E00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9F30 NtAllocateVirtualMemory,6_2_00DB9F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9DFE NtReadFile,6_2_00DB9DFE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9DA4 NtCreateFile,6_2_00DB9DA4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9D4B NtCreateFile,6_2_00DB9D4B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9E7A NtClose,6_2_00DB9E7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB9F2B NtAllocateVirtualMemory,6_2_00DB9F2B
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_02E9C1480_2_02E9C148
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_02E9A7580_2_02E9A758
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_02E9F8280_2_02E9F828
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_02E9F8380_2_02E9F838
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_062136280_2_06213628
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_062136380_2_06213638
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_062138810_2_06213881
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_062138900_2_06213890
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_063072600_2_06307260
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_063089780_2_06308978
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_063069900_2_06306990
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_063066480_2_06306648
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041D9061_2_0041D906
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041DB321_2_0041DB32
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041DBA51_2_0041DBA5
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041E5ED1_2_0041E5ED
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041DE551_2_0041DE55
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00409E2C1_2_00409E2C
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041DF6E1_2_0041DF6E
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041D7811_2_0041D781
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041CF931_2_0041CF93
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011DF9001_2_011DF900
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011F41201_2_011F4120
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011F99BF1_2_011F99BF
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012AE8241_2_012AE824
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012910021_2_01291002
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011FA8301_2_011FA830
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012020A01_2_012020A0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A20A81_2_012A20A8
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011EB0901_2_011EB090
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A28EC1_2_012A28EC
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A2B281_2_012A2B28
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011FA3091_2_011FA309
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011FAB401_2_011FAB40
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0120EBB01_2_0120EBB0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012903DA1_2_012903DA
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0120ABD81_2_0120ABD8
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0129DBD21_2_0129DBD2
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0128FA2B1_2_0128FA2B
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A22AE1_2_012A22AE
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A2D071_2_012A2D07
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011D0D201_2_011D0D20
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A1D551_2_012A1D55
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012025811_2_01202581
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A25DD1_2_012A25DD
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011ED5E01_2_011ED5E0
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011E841F1_2_011E841F
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0129D4661_2_0129D466
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A1FF11_2_012A1FF1
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012ADFCE1_2_012ADFCE
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_011F6E301_2_011F6E30
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0129D6161_2_0129D616
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_012A2EF71_2_012A2EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0388EBB06_2_0388EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0391DBD26_2_0391DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039103DA6_2_039103DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0388ABD86_2_0388ABD8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039023E36_2_039023E3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0387A3096_2_0387A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03922B286_2_03922B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0387AB406_2_0387AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039222AE6_2_039222AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03914AEF6_2_03914AEF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0390FA2B6_2_0390FA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038799BF6_2_038799BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0385F9006_2_0385F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038741206_2_03874120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0386B0906_2_0386B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038820A06_2_038820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039220A86_2_039220A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039228EC6_2_039228EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039110026_2_03911002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0392E8246_2_0392E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0387A8306_2_0387A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0392DFCE6_2_0392DFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03921FF16_2_03921FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03922EF76_2_03922EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0391D6166_2_0391D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03876E306_2_03876E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038825816_2_03882581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03912D826_2_03912D82
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039225DD6_2_039225DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0386D5E06_2_0386D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03922D076_2_03922D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03850D206_2_03850D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03921D556_2_03921D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_039144966_2_03914496
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0386841F6_2_0386841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0391D4666_2_0391D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBE5ED6_2_00DBE5ED
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DA2D906_2_00DA2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBDE556_2_00DBDE55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DA9E306_2_00DA9E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DA9E2C6_2_00DA9E2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBCF936_2_00DBCF93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBD7816_2_00DBD781
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DA2FB06_2_00DA2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBDF6E6_2_00DBDF6E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0385B150 appears 133 times
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: String function: 011DB150 appears 87 times
          Source: 65BV6gbGFl.exe, 00000000.00000002.666713130.0000000002FD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exe, 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exe, 00000000.00000002.666363002.00000000013EA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exe, 00000000.00000002.666144409.0000000000D24000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnicodeCategory.exe8 vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exe, 00000001.00000002.705832250.00000000012CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exe, 00000001.00000002.705302329.00000000007B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnicodeCategory.exe8 vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exeBinary or memory string: OriginalFilenameUnicodeCategory.exe8 vs 65BV6gbGFl.exe
          Source: 65BV6gbGFl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1008317476.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1008210672.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.705655666.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.705655666.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1008715043.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1008715043.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.705409685.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.705409685.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.668132085.0000000003FD1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.704845326.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.704845326.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.65BV6gbGFl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.65BV6gbGFl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.65BV6gbGFl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.65BV6gbGFl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 65BV6gbGFl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/4
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\65BV6gbGFl.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeMutant created: \Sessions\1\BaseNamedObjects\UkPkTE
          Source: 65BV6gbGFl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 65BV6gbGFl.exeVirustotal: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\65BV6gbGFl.exe 'C:\Users\user\Desktop\65BV6gbGFl.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\65BV6gbGFl.exe C:\Users\user\Desktop\65BV6gbGFl.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\65BV6gbGFl.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess created: C:\Users\user\Desktop\65BV6gbGFl.exe C:\Users\user\Desktop\65BV6gbGFl.exeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\65BV6gbGFl.exe'Jump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 65BV6gbGFl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 65BV6gbGFl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.677864614.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 65BV6gbGFl.exe, 00000001.00000002.705832250.00000000012CF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1009183411.000000000394F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 65BV6gbGFl.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.677864614.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_06216DEC push eax; ret 0_2_06216DED
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_0621CA49 push B9FFFFFDh; retn 0002h0_2_0621CA4E
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_06305D6C pushfd ; iretd 0_2_06305D71
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_06305BB0 push eax; iretd 0_2_06305BB1
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 0_2_0630C009 push es; iretd 0_2_0630C030
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_004169BB push esi; ret 1_2_004169BC
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0040AB07 push ds; retf 1_2_0040AB09
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_00414E05 push ss; retf 1_2_00414E06
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041CEF2 push eax; ret 1_2_0041CEF8
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041CEFB push eax; ret 1_2_0041CF62
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041CEA5 push eax; ret 1_2_0041CEF8
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0041CF5C push eax; ret 1_2_0041CF62
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeCode function: 1_2_0122D0D1 push ecx; ret 1_2_0122D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_038AD0D1 push ecx; ret 6_2_038AD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB69BB push esi; ret 6_2_00DB69BC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DAAB07 push ds; retf 6_2_00DAAB09
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBCEFB push eax; ret 6_2_00DBCF62
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBCEF2 push eax; ret 6_2_00DBCEF8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBCEA5 push eax; ret 6_2_00DBCEF8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DB4E05 push ss; retf 6_2_00DB4E06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_00DBCF5C push eax; ret 6_2_00DBCF62
          Source: initial sampleStatic PE information: section name: .text entropy: 7.4280270646

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE5
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.666713130.0000000002FD1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 65BV6gbGFl.exe PID: 6372, type: MEMORY
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\65BV6gbGFl.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController