Loading ...

Play interactive tourEdit tour

Analysis Report in.exe

Overview

General Information

Sample Name:in.exe
Analysis ID:339331
MD5:cc35be28c18578d43849919ac1025d5a
SHA1:60bcb41d5ef76af919c769fab88f53c6a623a83b
SHA256:0c9d116a854e274534015e3e8e8349687c0c17b01653723642aeee53aa39bfac
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • in.exe (PID: 6496 cmdline: 'C:\Users\user\Desktop\in.exe' MD5: CC35BE28C18578D43849919AC1025D5A)
    • in.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\in.exe' MD5: CC35BE28C18578D43849919AC1025D5A)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6264 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5916 cmdline: /c del 'C:\Users\user\Desktop\in.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d771", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d873", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x64d4c905", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d739f", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01745", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "hrrecruitertraining.com", "pancakeroll.club", "equiposddl.com", "fab-9corporation.com", "seanformo.com", "fisika-uinam.com", "cheeseburgerpasta.com", "cherylkarlfineartist.com", "wunderprodukte.net", "3912699.com", "sanitizyo.com", "856381190.xyz", "aprobet42.xyz", "knutsfastigheter.com", "disalvospizzaitalian.com", "energysavingsolarpower.com", "oldwonderful.com", "se32688.com", "samkecollection.com", "colegioreynosa.com", "choujiushui.com", "njxgwxzx.com", "bairdexotics.com", "concur.design", "terrenosenofertaqueretaro.com", "demenageseul.com", "blvdabbey.com", "asghargloves.com", "livesoft.xyz", "dropdevil.com", "goldenhills-serpong.com", "haxb33.xyz", "splendid-nail.com", "indisburse.com", "indianapolishousepainter.com", "seak.xyz", "prohealth.today", "claudiarecom.com", "mariemenor.com", "surethingdesigns.com", "musesgirl.com", "hackmaninsurance.com", "partut.com", "smokeflake.com", "conhecimentovivo.science", "animalbiologics.com", "spontaneoushomeschooler.com", "thedailytrack.com", "zerofive100.com", "cyberfoxbat.com", "thepassvacation.com", "worldagroecologyalliance.com", "qsnlnntxg.icu", "destinationssc.com", "transparentnutritions.com", "millcreekimports.com", "cptdesignstudio.com", "isaacphotorestoration.com", "daxuangou.com", "redgumhomestead.com", "comsodigital.com", "sxweilan.com", "andrewsreadingjournal.com", "matchmakergenetics.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.besthandstool.icu/uds2/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.in.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.in.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.in.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        1.2.in.exe.2b50000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.in.exe.2b50000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: in.exeAvira: detected
          Found malware configurationShow sources
          Source: 2.2.in.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d771", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d873", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x64d4c905", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d739f", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0120e8", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01745", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: in.exeVirustotal: Detection: 46%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: in.exeJoe Sandbox ML: detected
          Source: 2.2.in.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.in.exe.2b50000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: in.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: in.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: netstat.pdb source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: in.exe, 00000001.00000003.250116639.000000001ABB0000.00000004.00000001.sdmp, in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.600753548.0000000002D5F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE
          Source: C:\Users\user\Desktop\in.exeCode function: 4x nop then pop edi2_2_0040E43D
          Source: C:\Users\user\Desktop\in.exeCode function: 4x nop then pop edi2_2_00416CAC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi11_2_0043E43D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi11_2_00446CAC

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49748 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49751 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49754 -> 94.23.162.163:80
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.seak.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.cptdesignstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.demenageseul.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.concur.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.seak.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=G5yaYpuBg7XYabQFtGr/YwUbUG6Du4hspLJ6ti3LnsVJcslX7oGk4EUBP1FenotTMaF2IKx0Gw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.cptdesignstudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=nX62fi3FGck0KYkDLbl3wNFzysJuwQN4fQs5/MCF0tdU2wk9ctHDwkR8RP5qD5uIs0RtT2NFRQ==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.demenageseul.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uds2/?Y4spQFW=n2X6clJmCA05S3ZeqrcWmU9LgTYh3Xo9IMSlcPg8h+SS+WcZ+1zi1nXkqGc0mRUifak24jBbuw==&Ezu=VTChCL_ht2spUrI HTTP/1.1Host: www.concur.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.seak.xyz
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.267490258.000000000686B000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: NETSTAT.EXE, 0000000B.00000002.602127128.000000000365F000.00000004.00000001.sdmpString found in binary or memory: http://www.spontaneoushomeschooler.com/
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.277980680.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041A060 NtClose,2_2_0041A060
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041A110 NtAllocateVirtualMemory,2_2_0041A110
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00419F30 NtCreateFile,2_2_00419F30
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00419FE0 NtReadFile,2_2_00419FE0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00419F82 NtCreateFile,2_2_00419F82
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9540 NtReadFile,LdrInitializeThunk,2_2_016E9540
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_016E9910
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E95D0 NtClose,LdrInitializeThunk,2_2_016E95D0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E99A0 NtCreateSection,LdrInitializeThunk,2_2_016E99A0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_016E9860
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9840 NtDelayExecution,LdrInitializeThunk,2_2_016E9840
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_016E98F0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9710 NtQueryInformationToken,LdrInitializeThunk,2_2_016E9710
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_016E97A0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9780 NtMapViewOfSection,LdrInitializeThunk,2_2_016E9780
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_016E9660
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A50 NtCreateFile,LdrInitializeThunk,2_2_016E9A50
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A20 NtResumeThread,LdrInitializeThunk,2_2_016E9A20
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_016E9A00
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_016E96E0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9560 NtWriteFile,2_2_016E9560
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9950 NtQueueApcThread,2_2_016E9950
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9520 NtWaitForSingleObject,2_2_016E9520
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EAD30 NtSetContextThread,2_2_016EAD30
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E95F0 NtQueryInformationFile,2_2_016E95F0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E99D0 NtCreateProcessEx,2_2_016E99D0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EB040 NtSuspendThread,2_2_016EB040
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9820 NtEnumerateKey,2_2_016E9820
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E98A0 NtWriteVirtualMemory,2_2_016E98A0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9760 NtOpenProcess,2_2_016E9760
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9770 NtSetInformationFile,2_2_016E9770
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EA770 NtOpenThread,2_2_016EA770
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9730 NtQueryVirtualMemory,2_2_016E9730
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9B00 NtSetValueKey,2_2_016E9B00
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EA710 NtOpenProcessToken,2_2_016EA710
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9FE0 NtCreateMutant,2_2_016E9FE0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016EA3B0 NtGetContextThread,2_2_016EA3B0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9670 NtQueryInformationProcess,2_2_016E9670
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9650 NtQueryValueKey,2_2_016E9650
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9610 NtEnumerateValueKey,2_2_016E9610
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A10 NtQuerySection,2_2_016E9A10
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E96D0 NtCreateKey,2_2_016E96D0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E9A80 NtOpenDirectoryObject,2_2_016E9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA96D0 NtCreateKey,LdrInitializeThunk,11_2_02CA96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_02CA96E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9650 NtQueryValueKey,LdrInitializeThunk,11_2_02CA9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A50 NtCreateFile,LdrInitializeThunk,11_2_02CA9A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_02CA9660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9FE0 NtCreateMutant,LdrInitializeThunk,11_2_02CA9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9780 NtMapViewOfSection,LdrInitializeThunk,11_2_02CA9780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9710 NtQueryInformationToken,LdrInitializeThunk,11_2_02CA9710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9840 NtDelayExecution,LdrInitializeThunk,11_2_02CA9840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_02CA9860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA95D0 NtClose,LdrInitializeThunk,11_2_02CA95D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA99A0 NtCreateSection,LdrInitializeThunk,11_2_02CA99A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9540 NtReadFile,LdrInitializeThunk,11_2_02CA9540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_02CA9910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A80 NtOpenDirectoryObject,11_2_02CA9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9670 NtQueryInformationProcess,11_2_02CA9670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A00 NtProtectVirtualMemory,11_2_02CA9A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9610 NtEnumerateValueKey,11_2_02CA9610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A10 NtQuerySection,11_2_02CA9A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9A20 NtResumeThread,11_2_02CA9A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA97A0 NtUnmapViewOfSection,11_2_02CA97A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAA3B0 NtGetContextThread,11_2_02CAA3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9760 NtOpenProcess,11_2_02CA9760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9770 NtSetInformationFile,11_2_02CA9770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAA770 NtOpenThread,11_2_02CAA770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9B00 NtSetValueKey,11_2_02CA9B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAA710 NtOpenProcessToken,11_2_02CAA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9730 NtQueryVirtualMemory,11_2_02CA9730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA98F0 NtReadVirtualMemory,11_2_02CA98F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA98A0 NtWriteVirtualMemory,11_2_02CA98A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAB040 NtSuspendThread,11_2_02CAB040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9820 NtEnumerateKey,11_2_02CA9820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA99D0 NtCreateProcessEx,11_2_02CA99D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA95F0 NtQueryInformationFile,11_2_02CA95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9950 NtQueueApcThread,11_2_02CA9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9560 NtWriteFile,11_2_02CA9560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CA9520 NtWaitForSingleObject,11_2_02CA9520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CAAD30 NtSetContextThread,11_2_02CAAD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044A060 NtClose,11_2_0044A060
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044A110 NtAllocateVirtualMemory,11_2_0044A110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00449F30 NtCreateFile,11_2_00449F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00449FE0 NtReadFile,11_2_00449FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00449F82 NtCreateFile,11_2_00449F82
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E1F62_2_0041E1F6
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041EBD72_2_0041EBD7
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E4612_2_0041E461
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041EC272_2_0041EC27
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409E3B2_2_00409E3B
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E7D72_2_0041E7D7
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041E7DA2_2_0041E7DA
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01771D552_2_01771D55
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A0D202_2_016A0D20
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C41202_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AF9002_2_016AF900
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BD5E02_2_016BD5E0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_017610022_2_01761002
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B841F2_2_016B841F
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016BB0902_2_016BB090
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016DEBB02_2_016DEBB0
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C6E302_2_016C6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D32EF711_2_02D32EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D322AE11_2_02D322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C86E3011_2_02C86E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D31FF111_2_02D31FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9EBB011_2_02C9EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D32B2811_2_02D32B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7B09011_2_02C7B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C920A011_2_02C920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D320A811_2_02D320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D2100211_2_02D21002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7841F11_2_02C7841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C7D5E011_2_02C7D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C9258111_2_02C92581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D31D5511_2_02D31D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C6F90011_2_02C6F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02D32D0711_2_02D32D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C60D2011_2_02C60D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02C8412011_2_02C84120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044E1F611_2_0044E1F6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044E46111_2_0044E461
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00432D8711_2_00432D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00432D9011_2_00432D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00439E4011_2_00439E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00439E3B11_2_00439E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044E7DA11_2_0044E7DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00432FB011_2_00432FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02C6B150 appears 35 times
          Source: C:\Users\user\Desktop\in.exeCode function: String function: 016AB150 appears 32 times
          Source: C:\Users\user\Desktop\in.exeCode function: String function: 00B47C9A appears 60 times
          Source: in.exe, 00000001.00000003.250265287.000000001ACCF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs in.exe
          Source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs in.exe
          Source: in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs in.exe
          Source: in.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.599420822.0000000000830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292552692.0000000001480000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.251301972.0000000002B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292256394.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.598393360.0000000000430000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.598703902.0000000000530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292614037.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.in.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.in.exe.2b50000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.in.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.in.exe.2b50000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@6/4
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
          Source: in.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\in.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: in.exeVirustotal: Detection: 46%
          Source: C:\Users\user\Desktop\in.exeFile read: C:\Users\user\Desktop\in.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\in.exeProcess created: C:\Users\user\Desktop\in.exe 'C:\Users\user\Desktop\in.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\in.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: in.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: netstat.pdb source: in.exe, 00000002.00000002.292671384.0000000001670000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: in.exe, 00000001.00000003.250116639.000000001ABB0000.00000004.00000001.sdmp, in.exe, 00000002.00000002.292914452.000000000179F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000B.00000002.600753548.0000000002D5F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: in.exe, NETSTAT.EXE
          Source: in.exeStatic PE information: real checksum: 0xe27c should be: 0x40e3b
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00B47CC0 push eax; ret 1_2_00B47CEE
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D0D2 push eax; ret 2_2_0041D0D8
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D0DB push eax; ret 2_2_0041D142
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D085 push eax; ret 2_2_0041D0D8
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0041D13C push eax; ret 2_2_0041D142
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00417BE0 push 28F71FB6h; retf 2_2_00417BE5
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00416561 push ebx; ret 2_2_00416570
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_004165A6 push ebx; ret 2_2_00416570
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00B47CC0 push eax; ret 2_2_00B47CEE
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016FD0D1 push ecx; ret 2_2_016FD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_02CBD0D1 push ecx; ret 11_2_02CBD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D0D2 push eax; ret 11_2_0044D0D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D0DB push eax; ret 11_2_0044D142
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D085 push eax; ret 11_2_0044D0D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0044D13C push eax; ret 11_2_0044D142
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00447BE0 push 28F71FB6h; retf 11_2_00447BE5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00446561 push ebx; ret 11_2_00446570
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_004465A6 push ebx; ret 11_2_00446570

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\in.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\in.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000004398E4 second address: 00000000004398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000439B5E second address: 0000000000439B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Windows\explorer.exe TID: 4524Thread sleep count: 56 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4524Thread sleep time: -112000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5336Thread sleep count: 33 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5336Thread sleep time: -66000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: explorer.exe, 00000004.00000000.272838998.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.272838998.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.275212385.0000000008DBD000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000004.00000002.610626366.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000004.00000000.273493490.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000004.00000000.273106949.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.267766064.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000002.612129459.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\in.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\in.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0040ACD0 LdrLoadDll,2_2_0040ACD0
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00B47790 mov eax, dword ptr fs:[00000030h]1_2_00B47790
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF471 mov eax, dword ptr fs:[00000030h]1_2_00EFF471
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF2C6 mov eax, dword ptr fs:[00000030h]1_2_00EFF2C6
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF329 mov eax, dword ptr fs:[00000030h]1_2_00EFF329
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFF289 mov eax, dword ptr fs:[00000030h]1_2_00EFF289
          Source: C:\Users\user\Desktop\in.exeCode function: 1_2_00EFEA1A mov eax, dword ptr fs:[00000030h]1_2_00EFEA1A
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_00B47790 mov eax, dword ptr fs:[00000030h]2_2_00B47790
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AC962 mov eax, dword ptr fs:[00000030h]2_2_016AC962
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB171 mov eax, dword ptr fs:[00000030h]2_2_016AB171
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AB171 mov eax, dword ptr fs:[00000030h]2_2_016AB171
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CC577 mov eax, dword ptr fs:[00000030h]2_2_016CC577
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CC577 mov eax, dword ptr fs:[00000030h]2_2_016CC577
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CB944 mov eax, dword ptr fs:[00000030h]2_2_016CB944
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016CB944 mov eax, dword ptr fs:[00000030h]2_2_016CB944
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016E3D43 mov eax, dword ptr fs:[00000030h]2_2_016E3D43
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01723540 mov eax, dword ptr fs:[00000030h]2_2_01723540
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C7D50 mov eax, dword ptr fs:[00000030h]2_2_016C7D50
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_01778D34 mov eax, dword ptr fs:[00000030h]2_2_01778D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_0172A537 mov eax, dword ptr fs:[00000030h]2_2_0172A537
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]2_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]2_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]2_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov eax, dword ptr fs:[00000030h]2_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016C4120 mov ecx, dword ptr fs:[00000030h]2_2_016C4120
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h]2_2_016D4D3B
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h]2_2_016D4D3B
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D4D3B mov eax, dword ptr fs:[00000030h]2_2_016D4D3B
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D513A mov eax, dword ptr fs:[00000030h]2_2_016D513A
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016D513A mov eax, dword ptr fs:[00000030h]2_2_016D513A
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016AAD30 mov eax, dword ptr fs:[00000030h]2_2_016AAD30
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016B3D34 mov eax, dword ptr fs:[00000030h]2_2_016B3D34
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h]2_2_016A9100
          Source: C:\Users\user\Desktop\in.exeCode function: 2_2_016A9100 mov eax, dword ptr fs:[00000030h]2_2_016A9100
          Source: C:\Users\user\Desktop\in.exe<