Loading ...

Play interactive tourEdit tour

Analysis Report lpdKSOB78u.exe

Overview

General Information

Sample Name:lpdKSOB78u.exe
Analysis ID:356515
MD5:f10054d325df455c58ecb16ea660d3f2
SHA1:54871af48b64576922b97965efeeea94976bc119
SHA256:b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • lpdKSOB78u.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F10054D325DF455C58ECB16EA660D3F2)
    • lpdKSOB78u.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F10054D325DF455C58ECB16EA660D3F2)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6956 cmdline: /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.lpdKSOB78u.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.lpdKSOB78u.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.lpdKSOB78u.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        0.2.lpdKSOB78u.exe.2a30000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.lpdKSOB78u.exe.2a30000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dllReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted fileShow sources
          Source: lpdKSOB78u.exeVirustotal: Detection: 44%Perma Link
          Source: lpdKSOB78u.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: lpdKSOB78u.exeJoe Sandbox ML: detected
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.lpdKSOB78u.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.lpdKSOB78u.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: lpdKSOB78u.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: lpdKSOB78u.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A15
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,0_2_004065C1
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.torontotel.com/4qdc/
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.pcareinc.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlLast-Modified: Tue, 09 Jul 2019 06:18:14 GMTEtag: "999-5d2431a6-2d9d76b743ab0996;;;"Accept-Ranges: bytesContent-Length: 2457Date: Tue, 23 Feb 2021 08:20:07 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
          Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Left.png)
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Right.png)
          Source: lpdKSOB78u.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: lpdKSOB78u.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://rdfs.org/sioc/ns#
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: http://rdfs.org/sioc/types#
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054B2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_004181AA NtCreateFile,1_2_004181AA
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041825A NtReadFile,1_2_0041825A
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_009D98F0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,1_2_009D9840
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_009D9860
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,1_2_009D99A0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_009D9910
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_009D9A00
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,1_2_009D9A20
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,1_2_009D9A50
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D95D0 NtClose,LdrInitializeThunk,1_2_009D95D0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,1_2_009D9540
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_009D96E0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_009D9660
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,1_2_009D9780
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_009D97A0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,1_2_009D9FE0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,1_2_009D9710
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D98A0 NtWriteVirtualMemory,1_2_009D98A0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9820 NtEnumerateKey,1_2_009D9820
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009DB040 NtSuspendThread,1_2_009DB040
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D99D0 NtCreateProcessEx,1_2_009D99D0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9950 NtQueueApcThread,1_2_009D9950
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9A80 NtOpenDirectoryObject,1_2_009D9A80
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9A10 NtQuerySection,1_2_009D9A10
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009DA3B0 NtGetContextThread,1_2_009DA3B0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9B00 NtSetValueKey,1_2_009D9B00
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D95F0 NtQueryInformationFile,1_2_009D95F0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009DAD30 NtSetContextThread,1_2_009DAD30
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9520 NtWaitForSingleObject,1_2_009D9520
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9560 NtWriteFile,1_2_009D9560
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D96D0 NtCreateKey,1_2_009D96D0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9610 NtEnumerateValueKey,1_2_009D9610
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9650 NtQueryValueKey,1_2_009D9650
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9670 NtQueryInformationProcess,1_2_009D9670
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009DA710 NtOpenProcessToken,1_2_009DA710
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9730 NtQueryVirtualMemory,1_2_009D9730
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9770 NtSetInformationFile,1_2_009D9770
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009DA770 NtOpenThread,1_2_009DA770
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009D9760 NtOpenProcess,1_2_009D9760
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_004181B0 NtCreateFile,1_1_004181B0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_00418260 NtReadFile,1_1_00418260
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_004182E0 NtClose,1_1_004182E0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_00418390 NtAllocateVirtualMemory,1_1_00418390
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_004181AA NtCreateFile,1_1_004181AA
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_0041825A NtReadFile,1_1_0041825A
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_004182DA NtClose,1_1_004182DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,9_2_04B09860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09840 NtDelayExecution,LdrInitializeThunk,9_2_04B09840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B099A0 NtCreateSection,LdrInitializeThunk,9_2_04B099A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B095D0 NtClose,LdrInitializeThunk,9_2_04B095D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_04B09910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09540 NtReadFile,LdrInitializeThunk,9_2_04B09540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04B096E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B096D0 NtCreateKey,LdrInitializeThunk,9_2_04B096D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04B09660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09650 NtQueryValueKey,LdrInitializeThunk,9_2_04B09650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09A50 NtCreateFile,LdrInitializeThunk,9_2_04B09A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,9_2_04B09780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,9_2_04B09FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,9_2_04B09710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B098A0 NtWriteVirtualMemory,9_2_04B098A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B098F0 NtReadVirtualMemory,9_2_04B098F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09820 NtEnumerateKey,9_2_04B09820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B0B040 NtSuspendThread,9_2_04B0B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B095F0 NtQueryInformationFile,9_2_04B095F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B099D0 NtCreateProcessEx,9_2_04B099D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B0AD30 NtSetContextThread,9_2_04B0AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09520 NtWaitForSingleObject,9_2_04B09520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09560 NtWriteFile,9_2_04B09560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09950 NtQueueApcThread,9_2_04B09950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09A80 NtOpenDirectoryObject,9_2_04B09A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09A20 NtResumeThread,9_2_04B09A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09610 NtEnumerateValueKey,9_2_04B09610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09A10 NtQuerySection,9_2_04B09A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09A00 NtProtectVirtualMemory,9_2_04B09A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09670 NtQueryInformationProcess,9_2_04B09670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B0A3B0 NtGetContextThread,9_2_04B0A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B097A0 NtUnmapViewOfSection,9_2_04B097A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09730 NtQueryVirtualMemory,9_2_04B09730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B0A710 NtOpenProcessToken,9_2_04B0A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09B00 NtSetValueKey,9_2_04B09B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09770 NtSetInformationFile,9_2_04B09770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B0A770 NtOpenThread,9_2_04B0A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B09760 NtOpenProcess,9_2_04B09760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B081B0 NtCreateFile,9_2_00B081B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B082E0 NtClose,9_2_00B082E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B08260 NtReadFile,9_2_00B08260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B08390 NtAllocateVirtualMemory,9_2_00B08390
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B081AA NtCreateFile,9_2_00B081AA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B082DA NtClose,9_2_00B082DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0825A NtReadFile,9_2_00B0825A
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403486
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_004072720_2_00407272
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_00406A9B0_2_00406A9B
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_70481A980_2_70481A98
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00408C0A1_2_00408C0A
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041BC2E1_2_0041BC2E
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041B5441_2_0041B544
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041C7221_2_0041C722
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009AB0901_2_009AB090
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00A510021_2_00A51002
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0099F9001_2_0099F900
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009B41201_2_009B4120
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009CEBB01_2_009CEBB0
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00990D201_2_00990D20
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00A61D551_2_00A61D55
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009B6E301_2_009B6E30
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04ADB0909_2_04ADB090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04AD841F9_2_04AD841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B810029_2_04B81002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04ADD5E09_2_04ADD5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04AC0D209_2_04AC0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04AE41209_2_04AE4120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04ACF9009_2_04ACF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B91D559_2_04B91D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04AE6E309_2_04AE6E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04AFEBB09_2_04AFEBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0BC2A9_2_00B0BC2A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00AF8C0A9_2_00AF8C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00AF8C509_2_00AF8C50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00AF2D879_2_00AF2D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00AF2D909_2_00AF2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00AF2FB09_2_00AF2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0C7229_2_00B0C722
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll 41B9F5241987338FAA262090BEAB1ADF4A9821497011BBE87D3A770F2C926666
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04ACB150 appears 32 times
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: String function: 0041A090 appears 40 times
          Source: lpdKSOB78u.exe, 00000000.00000003.204440401.0000000002D0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe
          Source: lpdKSOB78u.exe, 00000000.00000002.211643992.0000000000C30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs lpdKSOB78u.exe
          Source: lpdKSOB78u.exe, 00000001.00000002.265933060.0000000000969000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs lpdKSOB78u.exe
          Source: lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe
          Source: lpdKSOB78u.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@14/8
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403486
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404763
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_703C4243 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_703C4243
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeFile created: C:\Users\user\AppData\Local\Temp\nsx545.tmpJump to behavior
          Source: lpdKSOB78u.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: lpdKSOB78u.exeVirustotal: Detection: 44%
          Source: lpdKSOB78u.exeReversingLabs: Detection: 36%
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeFile read: C:\Users\user\Desktop\lpdKSOB78u.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeProcess created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'Jump to behavior
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: lpdKSOB78u.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_70481A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_70481A98
          Source: h1luljvls0ea.dll.0.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 0_2_70482F60 push eax; ret 0_2_70482F8E
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00416147 push esi; iretd 1_2_0041614A
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00416125 push ds; retf 1_2_0041612B
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_004153DC push es; retf 1_2_004153E5
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041B3F2 push eax; ret 1_2_0041B3F8
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041B3FB push eax; ret 1_2_0041B462
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00415B8C push ebp; ret 1_2_00415BD2
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041B3A5 push eax; ret 1_2_0041B3F8
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_0041B45C push eax; ret 1_2_0041B462
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00414E12 push ebx; ret 1_2_00414E14
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_00414FCB pushfd ; iretd 1_2_00414FCC
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_2_009ED0D1 push ecx; ret 1_2_009ED0E4
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_00416147 push esi; iretd 1_1_0041614A
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_00416125 push ds; retf 1_1_0041612B
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_004153DC push es; retf 1_1_004153E5
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_0041B3F2 push eax; ret 1_1_0041B3F8
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_0041B3FB push eax; ret 1_1_0041B462
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_00415B8C push ebp; ret 1_1_00415BD2
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeCode function: 1_1_0041B3A5 push eax; ret 1_1_0041B3F8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_04B1D0D1 push ecx; ret 9_2_04B1D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B06125 push ds; retf 9_2_00B0612B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B06147 push esi; iretd 9_2_00B0614A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0B3A5 push eax; ret 9_2_00B0B3F8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B05B8C push ebp; ret 9_2_00B05BD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0B3F2 push eax; ret 9_2_00B0B3F8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0B3FB push eax; ret 9_2_00B0B462
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B053DC push es; retf 9_2_00B053E5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B0B45C push eax; ret 9_2_00B0B462
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B04E12 push ebx; ret 9_2_00B04E14
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00B04FCB pushfd ; iretd 9_2_00B04FCC
          Source: initial sampleStatic PE information: section name: .data entropy: 7.74690382322
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeFile created: C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeFile created: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dllJump to dropped file
          Source: C:\Users\user\Desktop\lpdKSOB78u.exeProcess information set: NOOPENFILEERRORBOX