Play interactive tour

Edit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:	RFQ.exe
Analysis ID:	356498
MD5:	d0776103a16d59cf8a53d84854377371
SHA1:	11189405de042e38b6d5a7d5ba9250e091d8a0fe
SHA256:	8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

RFQ.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: D0776103A16D59CF8A53D84854377371)

RFQ.exe (PID: 5652 cmdline: {path} MD5: D0776103A16D59CF8A53D84854377371)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

rundll32.exe (PID: 496 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cmd.exe (PID: 6260 cmdline: /c del 'C:\Users\user\Desktop\RFQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.talllensphotography.com/md5/"], "decoy": ["gnd3.com", "thedrata.com", "carbeloy.com", "impactpittsburg.com", "sussage.com", "mikespencil.com", "ghoshtechno.com", "partnermassagetherapy.com", "nagago.asia", "parkviee.com", "kichisanpo.com", "awbaviation.com", "shopvibeup.com", "ab-alamode.com", "cash4homesutah.com", "funbrushstrokes.com", "adeleycar.com", "actsbooking.com", "rojorodi.icu", "fleurdelyscantho.com", "bobwhiteknives.com", "entrefloresdr.com", "eurostarcellars.com", "shipu143.com", "lindsaydrees.com", "turningtecc.com", "reusedearth.com", "theemperorbrand.com", "afrohiphops.com", "officehoursonly.com", "pharmacistscbd.com", "yaanpay.com", "mymoxypets.com", "sharehealthalliance.com", "sparktvnetwork.com", "marymoorridgecondo.com", "honest-woman.com", "blitzerfoto.net", "vanhanhnhansu.com", "lawyerspledge.com", "parkwashingtondc.com", "worldwideexpressweb.net", "oatml.com", "acquaintancenutritious.info", "lukmanmalik.xyz", "eudorabcantik.com", "fotosdepueblo.com", "latelierp.com", "dogmomtreats.com", "beerthirtyslc.com", "greenlightsmokables.com", "newyorkbusinesssolutions.com", "latravesia.net", "worldvisioncompany.com", "radiusbrisbane.com", "beachhammocking.com", "games-daizo.com", "customkreation.com", "universiteyehazirlan.com", "studentpalace.rentals", "vizecix.com", "new123movies.pro", "skincolored.com", "goldstespresso.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xaef30:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaf1aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdb750:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdb9ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xbaccd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe74ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xba7b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe6fd9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbadcf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe75ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbaf47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe7767:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xafbc2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xdc3e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb9a34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xe6254:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb08bb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xdd0db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xc096f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xed18f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc1972:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xbda51:$sqlite3step: 68 34 1C 7B E1 0xbdb64:$sqlite3step: 68 34 1C 7B E1 0xea271:$sqlite3step: 68 34 1C 7B E1 0xea384:$sqlite3step: 68 34 1C 7B E1 0xbda80:$sqlite3text: 68 38 2A 90 C5 0xbdba5:$sqlite3text: 68 38 2A 90 C5 0xea2a0:$sqlite3text: 68 38 2A 90 C5 0xea3c5:$sqlite3text: 68 38 2A 90 C5 0xbda93:$sqlite3blob: 68 53 D8 7F 8C 0xbdbbb:$sqlite3blob: 68 53 D8 7F 8C 0xea2b3:$sqlite3blob: 68 53 D8 7F 8C 0xea3db:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RFQ.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.RFQ.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.RFQ.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
7.2.RFQ.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.RFQ.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.RFQ.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.talllensphotography.com/md5/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 7.2.RFQ.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.talllensphotography.com/md5/"], "decoy": ["gnd3.com", "thedrata.com", "carbeloy.com", "impactpittsburg.com", "sussage.com", "mikespencil.com", "ghoshtechno.com", "partnermassagetherapy.com", "nagago.asia", "parkviee.com", "kichisanpo.com", "awbaviation.com", "shopvibeup.com", "ab-alamode.com", "cash4homesutah.com", "funbrushstrokes.com", "adeleycar.com", "actsbooking.com", "rojorodi.icu", "fleurdelyscantho.com", "bobwhiteknives.com", "entrefloresdr.com", "eurostarcellars.com", "shipu143.com", "lindsaydrees.com", "turningtecc.com", "reusedearth.com", "theemperorbrand.com", "afrohiphops.com", "officehoursonly.com", "pharmacistscbd.com", "yaanpay.com", "mymoxypets.com", "sharehealthalliance.com", "sparktvnetwork.com", "marymoorridgecondo.com", "honest-woman.com", "blitzerfoto.net", "vanhanhnhansu.com", "lawyerspledge.com", "parkwashingtondc.com", "worldwideexpressweb.net", "oatml.com", "acquaintancenutritious.info", "lukmanmalik.xyz", "eudorabcantik.com", "fotosdepueblo.com", "latelierp.com", "dogmomtreats.com", "beerthirtyslc.com", "greenlightsmokables.com", "newyorkbusinesssolutions.com", "latravesia.net", "worldvisioncompany.com", "radiusbrisbane.com", "beachhammocking.com", "games-daizo.com", "customkreation.com", "universiteyehazirlan.com", "studentpalace.rentals", "vizecix.com", "new123movies.pro", "skincolored.com", "goldstespresso.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ.exe	Virustotal: Detection: 35%			Perma Link
Source: RFQ.exe	ReversingLabs: Detection: 16%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE

Source: 7.2.RFQ.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.595187979.0000000004610000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe
Source:	Binary string: rundll32.pdb source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then pop edi		7_2_00416C9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi		14_2_00656C9C

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 144.208.69.172:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 144.208.69.172:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 144.208.69.172:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 142.250.185.179:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 142.250.185.179:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 142.250.185.179:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.talllensphotography.com/md5/

Source: global traffic	HTTP traffic detected: GET /md5/?idBXUjVP=2OYyEXTLFIqjBC5O5m8RJZ0r5htmlVRkTtWUdd8YXANk4Q730sjJcSottHUfDbvwisHPrnhI0g==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.eudorabcantik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /md5/?idBXUjVP=s4q+K9SYeQAH/ol1LHDCX3FORxxmw3fUJuDZ6OIV0kEaH/C8CzqjXw4/MJNt0fJkrNVLW2mfGw==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.skincolored.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.58.78.16 52.58.78.16

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: IMH-WESTUS IMH-WESTUS

Source: global traffic	HTTP traffic detected: GET /md5/?idBXUjVP=2OYyEXTLFIqjBC5O5m8RJZ0r5htmlVRkTtWUdd8YXANk4Q730sjJcSottHUfDbvwisHPrnhI0g==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.eudorabcantik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /md5/?idBXUjVP=s4q+K9SYeQAH/ol1LHDCX3FORxxmw3fUJuDZ6OIV0kEaH/C8CzqjXw4/MJNt0fJkrNVLW2mfGw==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.skincolored.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.eudorabcantik.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:02:32 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>3404

Source: RFQ.exe	String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: RFQ.exe	String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: RFQ.exe	String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000008.00000002.593605277.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RFQ.exe	String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: RFQ.exe	String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: RFQ.exe	String found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: RFQ.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=
Source: RFQ.exe	String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: RFQ.exe, 00000000.00000002.393740196.0000000001617000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comas
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: rundll32.exe, 0000000E.00000002.598194730.000000000502F000.00000004.00000001.sdmp	String found in binary or memory: http://www.skincolored.com
Source: rundll32.exe, 0000000E.00000002.598194730.000000000502F000.00000004.00000001.sdmp	String found in binary or memory: http://www.skincolored.com/
Source: explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: RFQ.exe, 00000000.00000003.334811267.000000000161C000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419D60 NtCreateFile,	7_2_00419D60
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419E10 NtReadFile,	7_2_00419E10
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419E90 NtClose,	7_2_00419E90
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419F40 NtAllocateVirtualMemory,	7_2_00419F40
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419E0B NtReadFile,	7_2_00419E0B
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419E8A NtClose,	7_2_00419E8A
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00419F3A NtAllocateVirtualMemory,	7_2_00419F3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679540 NtReadFile,LdrInitializeThunk,	14_2_04679540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046795D0 NtClose,LdrInitializeThunk,	14_2_046795D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_04679660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679650 NtQueryValueKey,LdrInitializeThunk,	14_2_04679650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_046796E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046796D0 NtCreateKey,LdrInitializeThunk,	14_2_046796D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679710 NtQueryInformationToken,LdrInitializeThunk,	14_2_04679710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679FE0 NtCreateMutant,LdrInitializeThunk,	14_2_04679FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679780 NtMapViewOfSection,LdrInitializeThunk,	14_2_04679780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_04679860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679840 NtDelayExecution,LdrInitializeThunk,	14_2_04679840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_04679910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046799A0 NtCreateSection,LdrInitializeThunk,	14_2_046799A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679A50 NtCreateFile,LdrInitializeThunk,	14_2_04679A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679560 NtWriteFile,	14_2_04679560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679520 NtWaitForSingleObject,	14_2_04679520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0467AD30 NtSetContextThread,	14_2_0467AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046795F0 NtQueryInformationFile,	14_2_046795F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679670 NtQueryInformationProcess,	14_2_04679670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679610 NtEnumerateValueKey,	14_2_04679610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679760 NtOpenProcess,	14_2_04679760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0467A770 NtOpenThread,	14_2_0467A770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679770 NtSetInformationFile,	14_2_04679770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679730 NtQueryVirtualMemory,	14_2_04679730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0467A710 NtOpenProcessToken,	14_2_0467A710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046797A0 NtUnmapViewOfSection,	14_2_046797A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0467B040 NtSuspendThread,	14_2_0467B040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679820 NtEnumerateKey,	14_2_04679820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046798F0 NtReadVirtualMemory,	14_2_046798F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046798A0 NtWriteVirtualMemory,	14_2_046798A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679950 NtQueueApcThread,	14_2_04679950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046799D0 NtCreateProcessEx,	14_2_046799D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679A20 NtResumeThread,	14_2_04679A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679A00 NtProtectVirtualMemory,	14_2_04679A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679A10 NtQuerySection,	14_2_04679A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679A80 NtOpenDirectoryObject,	14_2_04679A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04679B00 NtSetValueKey,	14_2_04679B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0467A3B0 NtGetContextThread,	14_2_0467A3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659D60 NtCreateFile,	14_2_00659D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659E10 NtReadFile,	14_2_00659E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659E90 NtClose,	14_2_00659E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659F40 NtAllocateVirtualMemory,	14_2_00659F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659E0B NtReadFile,	14_2_00659E0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659E8A NtClose,	14_2_00659E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00659F3A NtAllocateVirtualMemory,	14_2_00659F3A

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D6010	0_2_075D6010
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D1D7D	0_2_075D1D7D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D0040	0_2_075D0040
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D0006	0_2_075D0006
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041E841	7_2_0041E841
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041D018	7_2_0041D018
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041E1FC	7_2_0041E1FC
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00402D87	7_2_00402D87
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00409E40	7_2_00409E40
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00409E3B	7_2_00409E3B
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041E7E7	7_2_0041E7E7
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FD466	14_2_046FD466
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464841F	14_2_0464841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04701D55	14_2_04701D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04630D20	14_2_04630D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04702D07	14_2_04702D07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464D5E0	14_2_0464D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_047025DD	14_2_047025DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04662581	14_2_04662581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04656E30	14_2_04656E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FD616	14_2_046FD616
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04702EF7	14_2_04702EF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04701FF1	14_2_04701FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1002	14_2_046F1002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_047028EC	14_2_047028EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046620A0	14_2_046620A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_047020A8	14_2_047020A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464B090	14_2_0464B090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04654120	14_2_04654120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0463F900	14_2_0463F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_047022AE	14_2_047022AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04702B28	14_2_04702B28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FDBD2	14_2_046FDBD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466EBB0	14_2_0466EBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0065E1FC	14_2_0065E1FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00642D87	14_2_00642D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00642D90	14_2_00642D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00649E40	14_2_00649E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00649E3B	14_2_00649E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00642FB0	14_2_00642FB0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 0463B150 appears 35 times

Source: RFQ.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ.exe	Binary or memory string: OriginalFilename vs RFQ.exe
Source: RFQ.exe, 00000000.00000000.326713042.00000000009B2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameD vs RFQ.exe
Source: RFQ.exe	Binary or memory string: OriginalFilename vs RFQ.exe
Source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
Source: RFQ.exe, 00000007.00000002.444419638.00000000012C8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs RFQ.exe
Source: RFQ.exe, 00000007.00000000.391061443.0000000000AB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameD vs RFQ.exe
Source: RFQ.exe	Binary or memory string: OriginalFilenameD vs RFQ.exe

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@3/2

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Users\user\Desktop\RFQ.exe	Mutant created: \Sessions\1\BaseNamedObjects\iNvBcjNipEgPNF

Source: RFQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Source: RFQ.exe	Virustotal: Detection: 35%
Source: RFQ.exe	ReversingLabs: Detection: 16%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Users\user\Desktop\RFQ.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.595187979.0000000004610000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe
Source:	Binary string: rundll32.pdb source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_05411598 push eax; mov dword ptr [esp], ecx	0_2_0541159C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D224A push cs; ret	0_2_075D224C
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D02D2 push 0000002Eh; ret	0_2_075D02D4
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D12C2 push ds; ret	0_2_075D12C3
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_075D22A3 push cs; ret	0_2_075D22A4
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_004170A0 pushfd ; retf	7_2_004170A6
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041CEB5 push eax; ret	7_2_0041CF08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041CF6C push eax; ret	7_2_0041CF72
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041CF02 push eax; ret	7_2_0041CF08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 7_2_0041CF0B push eax; ret	7_2_0041CF72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0468D0D1 push ecx; ret	14_2_0468D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_006570A0 pushfd ; retf	14_2_006570A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0065CEB5 push eax; ret	14_2_0065CF08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0065CF6C push eax; ret	14_2_0065CF72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0065CF02 push eax; ret	14_2_0065CF08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0065CF0B push eax; ret	14_2_0065CF72

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3

Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RFQ.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RFQ.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 00000000006498E4 second address: 00000000006498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000649B5E second address: 0000000000649B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 7_2_00409A90 rdtsc

7_2_00409A90

Source: C:\Users\user\Desktop\RFQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe TID: 7112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe TID: 6796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5572	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 00000008.00000000.423725449.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000008.00000000.423831795.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000008.00000000.418197319.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.423725449.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000008.00000000.418197319.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.422618645.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000008.00000000.422618645.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000008.00000000.423831795.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000008.00000002.593605277.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Source: C:\Users\user\Desktop\RFQ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 7_2_00409A90 rdtsc

7_2_00409A90

Source: C:\Users\user\Desktop\RFQ.exe

Code function: 7_2_0040ACD0 LdrLoadDll,

7_2_0040ACD0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465746D mov eax, dword ptr fs:[00000030h]	14_2_0465746D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466A44B mov eax, dword ptr fs:[00000030h]	14_2_0466A44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h]	14_2_046CC450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h]	14_2_046CC450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466BC2C mov eax, dword ptr fs:[00000030h]	14_2_0466BC2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]	14_2_046B6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]	14_2_046B6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]	14_2_046B6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]	14_2_046B6C0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]	14_2_046F1C06
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]	14_2_0470740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]	14_2_0470740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]	14_2_0470740D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F14FB mov eax, dword ptr fs:[00000030h]	14_2_046F14FB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]	14_2_046B6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]	14_2_046B6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]	14_2_046B6CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04708CD6 mov eax, dword ptr fs:[00000030h]	14_2_04708CD6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464849B mov eax, dword ptr fs:[00000030h]	14_2_0464849B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h]	14_2_0465C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h]	14_2_0465C577
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04673D43 mov eax, dword ptr fs:[00000030h]	14_2_04673D43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B3540 mov eax, dword ptr fs:[00000030h]	14_2_046B3540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04657D50 mov eax, dword ptr fs:[00000030h]	14_2_04657D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04708D34 mov eax, dword ptr fs:[00000030h]	14_2_04708D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]	14_2_04643D34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0463AD30 mov eax, dword ptr fs:[00000030h]	14_2_0463AD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FE539 mov eax, dword ptr fs:[00000030h]	14_2_046FE539
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046BA537 mov eax, dword ptr fs:[00000030h]	14_2_046BA537
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]	14_2_04664D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]	14_2_04664D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]	14_2_04664D3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h]	14_2_0464D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h]	14_2_0464D5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]	14_2_046FFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]	14_2_046FFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]	14_2_046FFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]	14_2_046FFDE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046E8DF1 mov eax, dword ptr fs:[00000030h]	14_2_046E8DF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]	14_2_046B6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]	14_2_046B6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]	14_2_046B6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6DC9 mov ecx, dword ptr fs:[00000030h]	14_2_046B6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]	14_2_046B6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]	14_2_046B6DC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046635A1 mov eax, dword ptr fs:[00000030h]	14_2_046635A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]	14_2_04661DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]	14_2_04661DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]	14_2_04661DB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_047005AC mov eax, dword ptr fs:[00000030h]	14_2_047005AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_047005AC mov eax, dword ptr fs:[00000030h]	14_2_047005AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]	14_2_04662581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]	14_2_04662581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]	14_2_04662581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]	14_2_04662581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]	14_2_04632D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]	14_2_04632D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]	14_2_04632D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]	14_2_04632D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]	14_2_04632D8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h]	14_2_0466FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h]	14_2_0466FD9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464766D mov eax, dword ptr fs:[00000030h]	14_2_0464766D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]	14_2_0465AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]	14_2_0465AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]	14_2_0465AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]	14_2_0465AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]	14_2_0465AE73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]	14_2_04647E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]	14_2_04647E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]	14_2_04647E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]	14_2_04647E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]	14_2_04647E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]	14_2_04647E41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FAE44 mov eax, dword ptr fs:[00000030h]	14_2_046FAE44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046FAE44 mov eax, dword ptr fs:[00000030h]	14_2_046FAE44
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0463E620 mov eax, dword ptr fs:[00000030h]	14_2_0463E620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046EFE3F mov eax, dword ptr fs:[00000030h]	14_2_046EFE3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]	14_2_0463C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]	14_2_0463C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]	14_2_0463C600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04668E00 mov eax, dword ptr fs:[00000030h]	14_2_04668E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F1608 mov eax, dword ptr fs:[00000030h]	14_2_046F1608
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h]	14_2_0466A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h]	14_2_0466A61C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046616E0 mov ecx, dword ptr fs:[00000030h]	14_2_046616E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046476E2 mov eax, dword ptr fs:[00000030h]	14_2_046476E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04678EC7 mov eax, dword ptr fs:[00000030h]	14_2_04678EC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04708ED6 mov eax, dword ptr fs:[00000030h]	14_2_04708ED6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046636CC mov eax, dword ptr fs:[00000030h]	14_2_046636CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046EFEC0 mov eax, dword ptr fs:[00000030h]	14_2_046EFEC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B46A7 mov eax, dword ptr fs:[00000030h]	14_2_046B46A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]	14_2_04700EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]	14_2_04700EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]	14_2_04700EA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046CFE87 mov eax, dword ptr fs:[00000030h]	14_2_046CFE87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464FF60 mov eax, dword ptr fs:[00000030h]	14_2_0464FF60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04708F6A mov eax, dword ptr fs:[00000030h]	14_2_04708F6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0464EF40 mov eax, dword ptr fs:[00000030h]	14_2_0464EF40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h]	14_2_04634F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h]	14_2_04634F2E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466E730 mov eax, dword ptr fs:[00000030h]	14_2_0466E730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h]	14_2_0466A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h]	14_2_0466A70E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0465F716 mov eax, dword ptr fs:[00000030h]	14_2_0465F716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h]	14_2_046CFF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h]	14_2_046CFF10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0470070D mov eax, dword ptr fs:[00000030h]	14_2_0470070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0470070D mov eax, dword ptr fs:[00000030h]	14_2_0470070D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046737F5 mov eax, dword ptr fs:[00000030h]	14_2_046737F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04648794 mov eax, dword ptr fs:[00000030h]	14_2_04648794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]	14_2_046B7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]	14_2_046B7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]	14_2_046B7794
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04701074 mov eax, dword ptr fs:[00000030h]	14_2_04701074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_046F2073 mov eax, dword ptr fs:[00000030h]	14_2_046F2073
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04650050 mov eax, dword ptr fs:[00000030h]	14_2_04650050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_04650050 mov eax, dword ptr fs:[00000030h]	14_2_04650050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]	14_2_0466002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]	14_2_0466002D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging: