Play interactive tour

Edit tour

Analysis Report lpdKSOB78u.exe

Overview

General Information

Sample Name:	lpdKSOB78u.exe
Analysis ID:	356515
MD5:	f10054d325df455c58ecb16ea660d3f2
SHA1:	54871af48b64576922b97965efeeea94976bc119
SHA256:	b060cb81afd9113cfbbb1e346c99e503c545da47ed80096c021b7ca41c064c76
Tags:	exeFormbook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

lpdKSOB78u.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F10054D325DF455C58ECB16EA660D3F2)

lpdKSOB78u.exe (PID: 5652 cmdline: 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F10054D325DF455C58ECB16EA660D3F2)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 6956 cmdline: /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.lpdKSOB78u.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0.2.lpdKSOB78u.exe.2a30000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.lpdKSOB78u.exe.2a30000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.lpdKSOB78u.exe.2a30000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
1.1.lpdKSOB78u.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.lpdKSOB78u.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.lpdKSOB78u.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
1.2.lpdKSOB78u.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.lpdKSOB78u.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.lpdKSOB78u.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
1.1.lpdKSOB78u.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.lpdKSOB78u.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.torontotel.com/4qdc/"], "decoy": ["mangpe.asia", "mmstruckingllc.com", "ascendingworship.com", "gfeets.com", "smartcbda.com", "dreaminggrand.com", "dohostar.com", "farkindalik365.com", "weareexpatwomen.com", "gamereruns.com", "rosesandframes.com", "commagx4.info", "tarpleymusic.info", "szttskj.com", "calatheahomeservices.com", "qm7886.com", "emunmous.com", "deutschclub.com", "39palmavenue.com", "thepixxelgroup.com", "buildassetswealth.com", "oscarandmarina.com", "zingoworks.space", "edgewooddhr.net", "earth-emily.com", "belanjagratis.com", "sandrapidal.com", "btvstudios.com", "aberdareroyalcottages.com", "officialgiftclub.com", "kerdbooks.com", "havemercyinc.net", "sunsitek.com", "larek.store", "radioapostolicadigital.com", "xcuswaeheje.com", "ndk168.com", "pcareinc.com", "beconfidentagain.com", "codejunkys.com", "constancescot.com", "inbarrel.com", "thepurepharmacy.com", "finoblog.com", "orderbbqculinary.com", "bgshtswp.com", "hezhengnet.com", "clerolaustrie.com", "speedysnacksbox.com", "amazonia.coffee", "mnkmultiservicios.com", "antips.com", "powerofphoto.com", "trackyourvote.com", "equiposddl.com", "mintmobikeplus.com", "grn-shop.com", "fabslab.coffee", "musicindustrymag.com", "cyprusdivingcenters.com", "sunsilify.com", "rehabcareconnect.com", "kingscarehospital.com", "pompomlearning.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Show sources

Source: lpdKSOB78u.exe	Virustotal: Detection: 44%			Perma Link
Source: lpdKSOB78u.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: lpdKSOB78u.exe

Joe Sandbox ML: detected

Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: lpdKSOB78u.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: lpdKSOB78u.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp

Spreading:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405A15
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004065C1 FindFirstFileA,FindClose,	0_2_004065C1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_004027A1 FindFirstFileA,	0_2_004027A1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 23.224.206.45:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 104.21.76.239:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49753 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.torontotel.com/4qdc/

Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 208.91.197.27 208.91.197.27

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=n05rnph+IqNz0mbSS5vp9sGjLY7dyqnysY607r4vHHjCLr3ziiRBE07QjlPjM5GqarqD&2dz=onbha HTTP/1.1Host: www.pcareinc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=FDPsk0sff5Lw+z8Vw8rcgpm8MWqJfMs2bvH8+cW5/POI2TSyhlXdRmW8g+C2mzqgUbJY&2dz=onbha HTTP/1.1Host: www.antips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=+7VgHCQQJYO0FHfoX4VwpMGRpMkf/fkwbCKrV3wMZoe5nkwvpaAzoW+aSblNd7Hd+wjC&2dz=onbha HTTP/1.1Host: www.edgewooddhr.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=fgRLe1wDsIR582SpVqHNrqc5X9FQKzC9eNMuu75MPd7YekjVZ2QEORs18XDbgwZ5UcjJ&2dz=onbha HTTP/1.1Host: www.ndk168.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=DRpehdA/33BzcPgqXFJLC0P+7mKy3AC9kGgryjypn4W4a4lypWUQvIUJQnrelubfkLFp&2dz=onbha HTTP/1.1Host: www.inbarrel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=ZB8Pl5eBC7Hephg+P6iGhrGYsApNwIB7ekAHWQJEYqlC8jRN6CLcZFL5CLWpIktyGytq&2dz=onbha HTTP/1.1Host: www.39palmavenue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=t6rgzpThEavL/zg9991GCjSWOfv9/TODS4c0mNe7yolhiaEFU/O6K33zqhrleftTdvyE&2dz=onbha HTTP/1.1Host: www.buildassetswealth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=uT9syTVFNHzfIlw/vi0ORJwgGNlm67yR3EiChoWxlToAUfSEqT6/a/KF0zmtzwOHQ1u8&2dz=onbha HTTP/1.1Host: www.beconfidentagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=XrM9oEi9W6a6X8UVQlR+JUyFbINbZfC+p7wdaOxjToB4fXjiFd7gjA62KvYw0vzt+GJp&2dz=onbha HTTP/1.1Host: www.rehabcareconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=oetlJbthpq9VCk3sxGtc819EDOSw/wKhNDSOaTnbk4bTW9QfHQR4t80kWNVKaJln9Y1c&2dz=onbha HTTP/1.1Host: www.speedysnacksbox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha HTTP/1.1Host: www.havemercyinc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.pcareinc.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlLast-Modified: Tue, 09 Jul 2019 06:18:14 GMTEtag: "999-5d2431a6-2d9d76b743ab0996;;;"Accept-Ranges: bytesContent-Length: 2457Date: Tue, 23 Feb 2021 08:20:07 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2

Source: explorer.exe, 00000004.00000000.237000933.000000000F540000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Left.png)
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Right.png)
Source: lpdKSOB78u.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: lpdKSOB78u.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://rdfs.org/sioc/ns#
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: http://rdfs.org/sioc/types#
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.233837261.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Source: raserver.exe, 00000009.00000002.476650462.0000000005152000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004181B0 NtCreateFile,	1_2_004181B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00418260 NtReadFile,	1_2_00418260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004182E0 NtClose,	1_2_004182E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00418390 NtAllocateVirtualMemory,	1_2_00418390
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004181AA NtCreateFile,	1_2_004181AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041825A NtReadFile,	1_2_0041825A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004182DA NtClose,	1_2_004182DA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_009D98F0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,	1_2_009D9840
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_009D9860
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,	1_2_009D99A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_009D9910
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_009D9A00
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,	1_2_009D9A20
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,	1_2_009D9A50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk,	1_2_009D95D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,	1_2_009D9540
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_009D96E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_009D9660
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_009D9780
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_009D97A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_009D9FE0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_009D9710
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D98A0 NtWriteVirtualMemory,	1_2_009D98A0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9820 NtEnumerateKey,	1_2_009D9820
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DB040 NtSuspendThread,	1_2_009DB040
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D99D0 NtCreateProcessEx,	1_2_009D99D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9950 NtQueueApcThread,	1_2_009D9950
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A80 NtOpenDirectoryObject,	1_2_009D9A80
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9A10 NtQuerySection,	1_2_009D9A10
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA3B0 NtGetContextThread,	1_2_009DA3B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9B00 NtSetValueKey,	1_2_009D9B00
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D95F0 NtQueryInformationFile,	1_2_009D95F0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DAD30 NtSetContextThread,	1_2_009DAD30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9520 NtWaitForSingleObject,	1_2_009D9520
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9560 NtWriteFile,	1_2_009D9560
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D96D0 NtCreateKey,	1_2_009D96D0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9610 NtEnumerateValueKey,	1_2_009D9610
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9650 NtQueryValueKey,	1_2_009D9650
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9670 NtQueryInformationProcess,	1_2_009D9670
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA710 NtOpenProcessToken,	1_2_009DA710
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9730 NtQueryVirtualMemory,	1_2_009D9730
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9770 NtSetInformationFile,	1_2_009D9770
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009DA770 NtOpenThread,	1_2_009DA770
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009D9760 NtOpenProcess,	1_2_009D9760
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004181B0 NtCreateFile,	1_1_004181B0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00418260 NtReadFile,	1_1_00418260
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004182E0 NtClose,	1_1_004182E0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00418390 NtAllocateVirtualMemory,	1_1_00418390
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004181AA NtCreateFile,	1_1_004181AA
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041825A NtReadFile,	1_1_0041825A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004182DA NtClose,	1_1_004182DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_04B09860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09840 NtDelayExecution,LdrInitializeThunk,	9_2_04B09840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B099A0 NtCreateSection,LdrInitializeThunk,	9_2_04B099A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B095D0 NtClose,LdrInitializeThunk,	9_2_04B095D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_04B09910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09540 NtReadFile,LdrInitializeThunk,	9_2_04B09540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_04B096E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B096D0 NtCreateKey,LdrInitializeThunk,	9_2_04B096D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_04B09660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09650 NtQueryValueKey,LdrInitializeThunk,	9_2_04B09650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A50 NtCreateFile,LdrInitializeThunk,	9_2_04B09A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,	9_2_04B09780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,	9_2_04B09FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,	9_2_04B09710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B098A0 NtWriteVirtualMemory,	9_2_04B098A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B098F0 NtReadVirtualMemory,	9_2_04B098F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09820 NtEnumerateKey,	9_2_04B09820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0B040 NtSuspendThread,	9_2_04B0B040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B095F0 NtQueryInformationFile,	9_2_04B095F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B099D0 NtCreateProcessEx,	9_2_04B099D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0AD30 NtSetContextThread,	9_2_04B0AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09520 NtWaitForSingleObject,	9_2_04B09520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09560 NtWriteFile,	9_2_04B09560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09950 NtQueueApcThread,	9_2_04B09950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A80 NtOpenDirectoryObject,	9_2_04B09A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A20 NtResumeThread,	9_2_04B09A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09610 NtEnumerateValueKey,	9_2_04B09610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A10 NtQuerySection,	9_2_04B09A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09A00 NtProtectVirtualMemory,	9_2_04B09A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09670 NtQueryInformationProcess,	9_2_04B09670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A3B0 NtGetContextThread,	9_2_04B0A3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B097A0 NtUnmapViewOfSection,	9_2_04B097A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09730 NtQueryVirtualMemory,	9_2_04B09730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A710 NtOpenProcessToken,	9_2_04B0A710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09B00 NtSetValueKey,	9_2_04B09B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09770 NtSetInformationFile,	9_2_04B09770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B0A770 NtOpenThread,	9_2_04B0A770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B09760 NtOpenProcess,	9_2_04B09760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B081B0 NtCreateFile,	9_2_00B081B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B082E0 NtClose,	9_2_00B082E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B08260 NtReadFile,	9_2_00B08260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B08390 NtAllocateVirtualMemory,	9_2_00B08390
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B081AA NtCreateFile,	9_2_00B081AA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B082DA NtClose,	9_2_00B082DA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0825A NtReadFile,	9_2_00B0825A

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403486

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00407272	0_2_00407272
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_00406A9B	0_2_00406A9B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_70481A98	0_2_70481A98
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00408C50	1_2_00408C50
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00408C0A	1_2_00408C0A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041BC2E	1_2_0041BC2E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B544	1_2_0041B544
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402D87	1_2_00402D87
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041C722	1_2_0041C722
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009AB090	1_2_009AB090
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A51002	1_2_00A51002
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0099F900	1_2_0099F900
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B4120	1_2_009B4120
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009CEBB0	1_2_009CEBB0
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00990D20	1_2_00990D20
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00A61D55	1_2_00A61D55
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009B6E30	1_2_009B6E30
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADB090	9_2_04ADB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AD841F	9_2_04AD841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B81002	9_2_04B81002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ADD5E0	9_2_04ADD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AC0D20	9_2_04AC0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE4120	9_2_04AE4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04ACF900	9_2_04ACF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B91D55	9_2_04B91D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AE6E30	9_2_04AE6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04AFEBB0	9_2_04AFEBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0BC2A	9_2_00B0BC2A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF8C0A	9_2_00AF8C0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF8C50	9_2_00AF8C50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2D87	9_2_00AF2D87
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2D90	9_2_00AF2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00AF2FB0	9_2_00AF2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0C722	9_2_00B0C722

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll 41B9F5241987338FAA262090BEAB1ADF4A9821497011BBE87D3A770F2C926666

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04ACB150 appears 32 times
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: String function: 0041A090 appears 40 times

Source: lpdKSOB78u.exe, 00000000.00000003.204440401.0000000002D0F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000000.00000002.211643992.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000001.00000002.265933060.0000000000969000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs lpdKSOB78u.exe
Source: lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs lpdKSOB78u.exe

Source: lpdKSOB78u.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.471497845.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265826962.00000000008E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.471203600.0000000000D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.213421837.0000000002A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265809915.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.265648023.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.469614827.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.209707137.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.lpdKSOB78u.exe.2a30000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.lpdKSOB78u.exe.2a30000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.lpdKSOB78u.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.lpdKSOB78u.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@14/8

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

0_2_00403486

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404763

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_703C4243 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_703C4243

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

0_2_0040216B

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File created: C:\Users\user\AppData\Local\Temp\nsx545.tmp

Jump to behavior

Source: lpdKSOB78u.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: lpdKSOB78u.exe	Virustotal: Detection: 44%
Source: lpdKSOB78u.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

File read: C:\Users\user\Desktop\lpdKSOB78u.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Process created: C:\Users\user\Desktop\lpdKSOB78u.exe 'C:\Users\user\Desktop\lpdKSOB78u.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\lpdKSOB78u.exe'	Jump to behavior

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: lpdKSOB78u.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: lpdKSOB78u.exe, 00000000.00000003.205218390.0000000002BF0000.00000004.00000001.sdmp, lpdKSOB78u.exe, 00000001.00000002.266056817.0000000000A8F000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.473551161.0000000004AA0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: lpdKSOB78u.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.237237720.000000000F584000.00000004.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: lpdKSOB78u.exe, 00000001.00000002.265910985.0000000000950000.00000040.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Code function: 0_2_70481A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

0_2_70481A98

Source: h1luljvls0ea.dll.0.dr

Static PE information: section name: .code

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 0_2_70482F60 push eax; ret	0_2_70482F8E
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00416147 push esi; iretd	1_2_0041614A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00416125 push ds; retf	1_2_0041612B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_004153DC push es; retf	1_2_004153E5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3F2 push eax; ret	1_2_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3FB push eax; ret	1_2_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00415B8C push ebp; ret	1_2_00415BD2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B3A5 push eax; ret	1_2_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_0041B45C push eax; ret	1_2_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00414E12 push ebx; ret	1_2_00414E14
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_00414FCB pushfd ; iretd	1_2_00414FCC
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_2_009ED0D1 push ecx; ret	1_2_009ED0E4
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00416147 push esi; iretd	1_1_0041614A
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00416125 push ds; retf	1_1_0041612B
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_004153DC push es; retf	1_1_004153E5
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3F2 push eax; ret	1_1_0041B3F8
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3FB push eax; ret	1_1_0041B462
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_00415B8C push ebp; ret	1_1_00415BD2
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	Code function: 1_1_0041B3A5 push eax; ret	1_1_0041B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_04B1D0D1 push ecx; ret	9_2_04B1D0E4
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B06125 push ds; retf	9_2_00B0612B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B06147 push esi; iretd	9_2_00B0614A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3A5 push eax; ret	9_2_00B0B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B05B8C push ebp; ret	9_2_00B05BD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3F2 push eax; ret	9_2_00B0B3F8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B3FB push eax; ret	9_2_00B0B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B053DC push es; retf	9_2_00B053E5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B0B45C push eax; ret	9_2_00B0B462
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B04E12 push ebx; ret	9_2_00B04E14
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 9_2_00B04FCB pushfd ; iretd	9_2_00B04FCC

Source: initial sample

Static PE information: section name: .data entropy: 7.74690382322

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe	File created: C:\Users\user\AppData\Local\Temp\nsr575.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\lpdKSOB78u.exe	File created: C:\Users\user\AppData\Local\Temp\h1luljvls0ea.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\lpdKSOB78u.exe

Process information set: NOOPENFILEERRORBOX

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report lpdKSOB78u.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection: