Analysis Report PO_210223.exe

Overview

General Information

Sample Name:	PO_210223.exe
Analysis ID:	356494
MD5:	e40af9745e938b72d5d860bbc679aebf
SHA1:	d9e750061417b0ca9f933db79c99c12934abbe84
SHA256:	38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Tags:	exeFormbookgeoKOR
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\kwqifureL.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: PO_210223.exe	Virustotal: Detection: 31%			Perma Link
Source: PO_210223.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\kwqifureL.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO_210223.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.PO_210223.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\PO_210223.exe

Unpacked PE file: 0.2.PO_210223.exe.890000.0.unpack

Uses 32bit PE files

Source: PO_210223.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: PO_210223.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 4x nop then pop edi		9_2_00416C98
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 4x nop then pop edi		13_2_009C6C98

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.000666dy.com/ntg/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 204.11.56.48 204.11.56.48

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View	ASN Name: CNSERVERSUS CNSERVERSUS

Source: C:\Windows\explorer.exe

Code function: 10_2_04E0E782 getaddrinfo,setsockopt,recv,

10_2_04E0E782

Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.pophazard.com

Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.910436982.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcy
Source: PO_210223.exe, 00000000.00000003.648155639.000000000828D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comig
Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comint
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comk
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comva9y
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO_210223.exe, 00000000.00000003.652634958.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO_210223.exe, 00000000.00000003.654377069.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersQ
Source: PO_210223.exe, 00000000.00000003.658906996.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designerse
Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersiva
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO_210223.exe, 00000000.00000003.645891455.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: PO_210223.exe, 00000000.00000003.645842271.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO_210223.exe, 00000000.00000003.647755183.0000000008255000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnal
Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnal9y
Source: PO_210223.exe, 00000000.00000003.647129278.0000000008256000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnt7o
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO_210223.exe, 00000000.00000003.655856986.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO_210223.exe, 00000000.00000003.658733903.0000000008285000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmp	String found in binary or memory: http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com8i
Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comal
Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comh
Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cniy
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO_210223.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419D50 NtCreateFile,	9_2_00419D50
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419E00 NtReadFile,	9_2_00419E00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419E80 NtClose,	9_2_00419E80
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419F30 NtAllocateVirtualMemory,	9_2_00419F30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419D4A NtCreateFile,	9_2_00419D4A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00419F2A NtAllocateVirtualMemory,	9_2_00419F2A
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018499A0 NtCreateSection,LdrInitializeThunk,	9_2_018499A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01849910
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018498F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_018498F0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849840 NtDelayExecution,LdrInitializeThunk,	9_2_01849840
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01849860
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01849A00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A20 NtResumeThread,LdrInitializeThunk,	9_2_01849A20
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A50 NtCreateFile,LdrInitializeThunk,	9_2_01849A50
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018495D0 NtClose,LdrInitializeThunk,	9_2_018495D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849540 NtReadFile,LdrInitializeThunk,	9_2_01849540
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849780 NtMapViewOfSection,LdrInitializeThunk,	9_2_01849780
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018497A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_018497A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849710 NtQueryInformationToken,LdrInitializeThunk,	9_2_01849710
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018496E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_018496E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01849660
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018499D0 NtCreateProcessEx,	9_2_018499D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849950 NtQueueApcThread,	9_2_01849950
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018498A0 NtWriteVirtualMemory,	9_2_018498A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849820 NtEnumerateKey,	9_2_01849820
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184B040 NtSuspendThread,	9_2_0184B040
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184A3B0 NtGetContextThread,	9_2_0184A3B0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849B00 NtSetValueKey,	9_2_01849B00
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A80 NtOpenDirectoryObject,	9_2_01849A80
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849A10 NtQuerySection,	9_2_01849A10
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018495F0 NtQueryInformationFile,	9_2_018495F0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849520 NtWaitForSingleObject,	9_2_01849520
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184AD30 NtSetContextThread,	9_2_0184AD30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849560 NtWriteFile,	9_2_01849560
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849FE0 NtCreateMutant,	9_2_01849FE0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184A710 NtOpenProcessToken,	9_2_0184A710
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849730 NtQueryVirtualMemory,	9_2_01849730
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849760 NtOpenProcess,	9_2_01849760
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0184A770 NtOpenThread,	9_2_0184A770
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849770 NtSetInformationFile,	9_2_01849770
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018496D0 NtCreateKey,	9_2_018496D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849610 NtEnumerateValueKey,	9_2_01849610
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849650 NtQueryValueKey,	9_2_01849650
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01849670 NtQueryInformationProcess,	9_2_01849670
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0DA32 NtCreateFile,	10_2_04E0DA32
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499710 NtQueryInformationToken,LdrInitializeThunk,	13_2_03499710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499FE0 NtCreateMutant,LdrInitializeThunk,	13_2_03499FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499780 NtMapViewOfSection,LdrInitializeThunk,	13_2_03499780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A50 NtCreateFile,LdrInitializeThunk,	13_2_03499A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034996D0 NtCreateKey,LdrInitializeThunk,	13_2_034996D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034996E0 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_034996E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499540 NtReadFile,LdrInitializeThunk,	13_2_03499540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499910 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_03499910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034995D0 NtClose,LdrInitializeThunk,	13_2_034995D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034999A0 NtCreateSection,LdrInitializeThunk,	13_2_034999A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499840 NtDelayExecution,LdrInitializeThunk,	13_2_03499840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499860 NtQuerySystemInformation,LdrInitializeThunk,	13_2_03499860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499760 NtOpenProcess,	13_2_03499760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499770 NtSetInformationFile,	13_2_03499770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349A770 NtOpenThread,	13_2_0349A770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499B00 NtSetValueKey,	13_2_03499B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349A710 NtOpenProcessToken,	13_2_0349A710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499730 NtQueryVirtualMemory,	13_2_03499730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034997A0 NtUnmapViewOfSection,	13_2_034997A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349A3B0 NtGetContextThread,	13_2_0349A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499650 NtQueryValueKey,	13_2_03499650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499660 NtAllocateVirtualMemory,	13_2_03499660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499670 NtQueryInformationProcess,	13_2_03499670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A00 NtProtectVirtualMemory,	13_2_03499A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499610 NtEnumerateValueKey,	13_2_03499610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A10 NtQuerySection,	13_2_03499A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A20 NtResumeThread,	13_2_03499A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499A80 NtOpenDirectoryObject,	13_2_03499A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499950 NtQueueApcThread,	13_2_03499950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499560 NtWriteFile,	13_2_03499560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499520 NtWaitForSingleObject,	13_2_03499520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349AD30 NtSetContextThread,	13_2_0349AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034999D0 NtCreateProcessEx,	13_2_034999D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034995F0 NtQueryInformationFile,	13_2_034995F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0349B040 NtSuspendThread,	13_2_0349B040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03499820 NtEnumerateKey,	13_2_03499820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034998F0 NtReadVirtualMemory,	13_2_034998F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034998A0 NtWriteVirtualMemory,	13_2_034998A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9D50 NtCreateFile,	13_2_009C9D50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9E80 NtClose,	13_2_009C9E80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9E00 NtReadFile,	13_2_009C9E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009C9D4A NtCreateFile,	13_2_009C9D4A

Detected potential crypto function

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012821F8	0_2_012821F8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012830D0	0_2_012830D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01281851	0_2_01281851
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01280FF8	0_2_01280FF8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012851E0	0_2_012851E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012851D0	0_2_012851D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01283063	0_2_01283063
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01281292	0_2_01281292
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285420	0_2_01285420
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285430	0_2_01285430
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012804D0	0_2_012804D0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_012856A8	0_2_012856A8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285698	0_2_01285698
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01285840	0_2_01285840
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01283FA8	0_2_01283FA8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01283F99	0_2_01283F99
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01280FD4	0_2_01280FD4
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01284E60	0_2_01284E60
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09AB9DD0	0_2_09AB9DD0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09AB6100	0_2_09AB6100
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09ABB098	0_2_09ABB098
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_09AB0040	0_2_09AB0040
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00401026	9_2_00401026
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041D3FD	9_2_0041D3FD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041E601	9_2_0041E601
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00409E30	9_2_00409E30
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041DFA7	9_2_0041DFA7
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0180F900	9_2_0180F900
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01824120	9_2_01824120
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181B090	9_2_0181B090
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018320A0	9_2_018320A0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D20A8	9_2_018D20A8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D28EC	9_2_018D28EC
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018C1002	9_2_018C1002
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0183EBB0	9_2_0183EBB0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CDBD2	9_2_018CDBD2
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D2B28	9_2_018D2B28
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D22AE	9_2_018D22AE
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01832581	9_2_01832581
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D25DD	9_2_018D25DD
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181D5E0	9_2_0181D5E0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D2D07	9_2_018D2D07
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01800D20	9_2_01800D20
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D1D55	9_2_018D1D55
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0181841F	9_2_0181841F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CD466	9_2_018CD466
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D1FF1	9_2_018D1FF1
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018D2EF7	9_2_018D2EF7
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_018CD616	9_2_018CD616
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_01826E30	9_2_01826E30
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0DA32	10_2_04E0DA32
Source: C:\Windows\explorer.exe	Code function: 10_2_04E05CEC	10_2_04E05CEC
Source: C:\Windows\explorer.exe	Code function: 10_2_04E05CF2	10_2_04E05CF2
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0C862	10_2_04E0C862
Source: C:\Windows\explorer.exe	Code function: 10_2_04E04069	10_2_04E04069
Source: C:\Windows\explorer.exe	Code function: 10_2_04E10A6F	10_2_04E10A6F
Source: C:\Windows\explorer.exe	Code function: 10_2_04E04072	10_2_04E04072
Source: C:\Windows\explorer.exe	Code function: 10_2_04E08B22	10_2_04E08B22
Source: C:\Windows\explorer.exe	Code function: 10_2_04E0B132	10_2_04E0B132
Source: C:\Windows\explorer.exe	Code function: 10_2_04E10B0E	10_2_04E10B0E
Source: C:\Windows\explorer.exe	Code function: 10_2_04E08B1F	10_2_04E08B1F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03522B28	13_2_03522B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03521FF1	13_2_03521FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0348EBB0	13_2_0348EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03476E30	13_2_03476E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03522EF7	13_2_03522EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_035222AE	13_2_035222AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03521D55	13_2_03521D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0345F900	13_2_0345F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03522D07	13_2_03522D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03450D20	13_2_03450D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03474120	13_2_03474120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346D5E0	13_2_0346D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03482581	13_2_03482581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_03511002	13_2_03511002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346841F	13_2_0346841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_0346B090	13_2_0346B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034820A0	13_2_034820A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_035220A8	13_2_035220A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B2D90	13_2_009B2D90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CE601	13_2_009CE601
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B9E30	13_2_009B9E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B2FB0	13_2_009B2FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CDFA7	13_2_009CDFA7

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: String function: 0180B150 appears 35 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0345B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: PO_210223.exe	Binary or memory string: OriginalFilename vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000000.641235536.0000000000956000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.687139133.0000000009840000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.687388801.00000000099C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.688279597.000000000B570000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameriched20.dllp( vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs PO_210223.exe
Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO_210223.exe
Source: PO_210223.exe, 00000009.00000002.715919446.00000000016E7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs PO_210223.exe
Source: PO_210223.exe, 00000009.00000000.673088328.0000000000CF6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
Source: PO_210223.exe, 00000009.00000002.716615748.0000000001A8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO_210223.exe
Source: PO_210223.exe	Binary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe

Uses 32bit PE files

Source: PO_210223.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@3/3

Source: C:\Users\user\Desktop\PO_210223.exe

File created: C:\Users\user\AppData\Roaming\kwqifureL.exe

Source: C:\Users\user\Desktop\PO_210223.exe	Mutant created: \Sessions\1\BaseNamedObjects\kOfurgeHGWQSiueuJ
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: unknown	Process created: C:\Users\user\Desktop\PO_210223.exe 'C:\Users\user\Desktop\PO_210223.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe
Source: unknown	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO_210223.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_0089423E push ebp; ret	0_2_0089423F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_00893835 push cs; iretd	0_2_00893846
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_00894043 push edi; ret	0_2_00894047
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_00897272 push edx; iretd	0_2_008972B0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01286A7C push edi; iretd	0_2_01286A7E
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 0_2_01286A72 push edi; iretd	0_2_01286A74
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00409BAC push ebx; retf	9_2_00409BAF
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041DD1B push eax; ret	9_2_0041DE9C
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CEF2 push eax; ret	9_2_0041CEF8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CEFB push eax; ret	9_2_0041CF62
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CEA5 push eax; ret	9_2_0041CEF8
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0041CF5C push eax; ret	9_2_0041CF62
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C320F3 pushad ; retf	9_2_00C320F4
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C34043 push edi; ret	9_2_00C34047
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C33835 push cs; iretd	9_2_00C33846
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C37272 push edx; iretd	9_2_00C372B0
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C3423E push ebp; ret	9_2_00C3423F
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_00C32E51 push CDBD7B17h; retf	9_2_00C32E56
Source: C:\Users\user\Desktop\PO_210223.exe	Code function: 9_2_0185D0D1 push ecx; ret	9_2_0185D0E4
Source: C:\Windows\explorer.exe	Code function: 10_2_04E13831 push cs; iretd	10_2_04E13833
Source: C:\Windows\explorer.exe	Code function: 10_2_04E113E6 pushad ; ret	10_2_04E113E7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_034AD0D1 push ecx; ret	13_2_034AD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CD83B pushad ; ret	13_2_009CD83C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009B9BAC push ebx; retf	13_2_009B9BAF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CDE8E push eax; ret	13_2_009CDE9C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCEA5 push eax; ret	13_2_009CCEF8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCEFB push eax; ret	13_2_009CCF62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCEF2 push eax; ret	13_2_009CCEF8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 13_2_009CCF5C push eax; ret	13_2_009CCF62

Source: initial sample	Static PE information: section name: .text entropy: 7.247286296
Source: initial sample	Static PE information: section name: .text entropy: 7.247286296

Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_210223.exe PID: 6976, type: MEMORY
Source: Yara match	File source: 0.2.PO_210223.exe.2cb671c.1.raw.unpack, type: UNPACKEDPE

Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\PO_210223.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO_210223.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000009B98E4 second address: 00000000009B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000009B9B4E second address: 00000000009B9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO_210223.exe TID: 6980	Thread sleep time: -99516s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe TID: 4632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6496	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6736	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000A.00000000.688633268.0000000004710000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000000.695692855.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000A.00000000.691690260.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.695692855.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 0000000A.00000000.700408324.000000000FD5B000.00000004.00000001.sdmp	Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.688633268.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000A.00000000.691285014.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO_210223.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 204.11.56.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.66.59.142 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.229.197.103 80	Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO_210223.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\PO_210223.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424			Jump to behavior

Source: explorer.exe, 0000000A.00000002.907526127.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.679171156.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 0000000D.00000002.911200125.00000000048C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.695811785.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

IP	Domain	Country	ASN	ASN Name	Malicious
204.11.56.48	unknown	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
103.66.59.142	unknown	Hong Kong	40065	CNSERVERSUS	true
23.229.197.103	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true

Analysis Report PO_210223.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	IP	Active
kaieteurny.com	23.229.197.103	true
sll.nnu.pw	103.66.59.142	true
www.pophazard.com	204.11.56.48	true
www.246835.com	unknown	unknown
www.kaieteurny.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb	true	Avira URL Cloud: safe	unknown
http://www.246835.com/ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb	true	Avira URL Cloud: safe	unknown
http://www.kaieteurny.com/ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb	true	Avira URL Cloud: safe	unknown
www.000666dy.com/ntg/	true	Avira URL Cloud: safe	low

ID:	356494
Product:	CloudBasic
Start time:	08:57:40
Start date:	23.02.2021
Sample:	PO_210223.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e40af9745e938b72d5d860bbc679aebf
SHA1:	d9e750061417b0ca9f933db79c99c12934abbe84
SHA256:	38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_210223.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp33D2.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	14CFB330CC1F251E200D3DF339B27897	D203DB04E55F6224C704FBF3BF5A1654A22D4C24	84CDADDE88E64BDF5193CBD7CA5FDAFF6C835E095EEE55053553413F7F3A588F
C:\Users\user\AppData\Roaming\kwqifureL.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	E40AF9745E938B72D5D860BBC679AEBF	D9E750061417B0CA9F933DB79C99C12934ABBE84	38ACC90CD6D33B61B99CCA8CF06781E1BD2AB8FFEBC3A33E036ECA36037D413B
C:\Users\user\AppData\Roaming\kwqifureL.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309