Play interactive tour

Edit tour

Analysis Report transferir copia_98087.exe

Overview

General Information

Sample Name:	transferir copia_98087.exe
Analysis ID:	356823
MD5:	ca35b660415defe96fe6af4eb3a45d86
SHA1:	61345b9633b50081b63b65bbf95410d265ea6ce5
SHA256:	a3327c95da3017b7f9f87eeeef8ccba7373e363facad5024432b7aba20a9b832
Tags:	ESPexeFormbookgeo
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

transferir copia_98087.exe (PID: 3096 cmdline: 'C:\Users\user\Desktop\transferir copia_98087.exe' MD5: CA35B660415DEFE96FE6AF4EB3A45D86)

transferir copia_98087.exe (PID: 5376 cmdline: C:\Users\user\Desktop\transferir copia_98087.exe MD5: CA35B660415DEFE96FE6AF4EB3A45D86)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

msdt.exe (PID: 2576 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)

cmd.exe (PID: 4364 cmdline: /c del 'C:\Users\user\Desktop\transferir copia_98087.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.basiclablife.com/8zdn/"], "decoy": ["yourherogarden.net", "onlineharambee.net", "cerrajeriaurgencias24horas.com", "distritoforex.com", "verifyclientserverssr.com", "dandwg.com", "co2-zero.global", "joshssl.com", "meckwt.com", "theammf.com", "rawclectic.com", "gzgnetwork.com", "richmondavenuecoc.com", "nicolelyte.com", "thetinyclosetboutique.com", "llt-group.net", "seven-sky-design.com", "joganifinancialgrp.com", "elementsvapes.com", "bingent.info", "quaichshop.net", "unethicalsgsblaw.com", "matts.digital", "lexafit.com", "covidwanderings.com", "pk972.com", "fanashaadivine.com", "winharadesigns.com", "adosignite.com", "goldengatesimmigration.com", "unazampanelcuore.com", "gasexecutive.com", "sdps365.net", "worthingtonminnesota.com", "ducatsupply.com", "beijinghui1.icu", "hn-bet.com", "homeforsalesteamboat.com", "tiaozaoxinlingshou.net", "mrbils.net", "depuitycollector.com", "winningovereating.com", "usedonlyrvs.com", "verbinoz.com", "threepocketmedia.com", "lizbing.com", "fivestardogfoods.com", "edevercal.net", "irisettelment.com", "beautyphernalia.com", "terrawindglobalprotection.net", "floridaindian.com", "kidzistore.com", "kulisbet117.com", "logingatech.info", "ftdk.net", "lawwise.legal", "bruthawar.com", "lemonpublishing.com", "6781529.com", "zfxsotc.com", "shroomsdrop.com", "ahm-app.com", "finesilversmith.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2509f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x250d92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x277c18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x277fb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x25caa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x283cc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x25c591:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2837b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x25cba7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x283dc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x25cd1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x283f3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2517aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2789ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x25b80c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x282a2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x252522:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x279742:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x261b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x288db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x262c3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x25eac9:$sqlite3step: 68 34 1C 7B E1 0x25ebdc:$sqlite3step: 68 34 1C 7B E1 0x285ce9:$sqlite3step: 68 34 1C 7B E1 0x285dfc:$sqlite3step: 68 34 1C 7B E1 0x25eaf8:$sqlite3text: 68 38 2A 90 C5 0x25ec1d:$sqlite3text: 68 38 2A 90 C5 0x285d18:$sqlite3text: 68 38 2A 90 C5 0x285e3d:$sqlite3text: 68 38 2A 90 C5 0x25eb0b:$sqlite3blob: 68 53 D8 7F 8C 0x25ec33:$sqlite3blob: 68 53 D8 7F 8C 0x285d2b:$sqlite3blob: 68 53 D8 7F 8C 0x285e53:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: transferir copia_98087.exe PID: 3096	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.transferir copia_98087.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.transferir copia_98087.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.transferir copia_98087.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
0.2.transferir copia_98087.exe.317996c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.transferir copia_98087.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.transferir copia_98087.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.transferir copia_98087.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.transferir copia_98087.exe.4299960.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.transferir copia_98087.exe.4299960.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xd0098:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd0432:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf72b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf7652:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xdc145:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x103365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xdbc31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x102e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xdc247:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x103467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xdc3bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1035df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xd0e4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf806a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xdaeac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1020cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xd1bc2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf8de2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xe1237:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x108457:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xe22da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.transferir copia_98087.exe.4299960.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xde169:$sqlite3step: 68 34 1C 7B E1 0xde27c:$sqlite3step: 68 34 1C 7B E1 0x105389:$sqlite3step: 68 34 1C 7B E1 0x10549c:$sqlite3step: 68 34 1C 7B E1 0xde198:$sqlite3text: 68 38 2A 90 C5 0xde2bd:$sqlite3text: 68 38 2A 90 C5 0x1053b8:$sqlite3text: 68 38 2A 90 C5 0x1054dd:$sqlite3text: 68 38 2A 90 C5 0xde1ab:$sqlite3blob: 68 53 D8 7F 8C 0xde2d3:$sqlite3blob: 68 53 D8 7F 8C 0x1053cb:$sqlite3blob: 68 53 D8 7F 8C 0x1054f3:$sqlite3blob: 68 53 D8 7F 8C
0.2.transferir copia_98087.exe.424a540.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.transferir copia_98087.exe.424a540.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x11f4b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11f852:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1466d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b565:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152785:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12b051:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x152271:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12b667:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x152887:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12b7df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1529ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12026a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14748a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12a2cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1514ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x120fe2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x148202:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x130657:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x157877:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1316fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.transferir copia_98087.exe.424a540.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x12d589:$sqlite3step: 68 34 1C 7B E1 0x12d69c:$sqlite3step: 68 34 1C 7B E1 0x1547a9:$sqlite3step: 68 34 1C 7B E1 0x1548bc:$sqlite3step: 68 34 1C 7B E1 0x12d5b8:$sqlite3text: 68 38 2A 90 C5 0x12d6dd:$sqlite3text: 68 38 2A 90 C5 0x1547d8:$sqlite3text: 68 38 2A 90 C5 0x1548fd:$sqlite3text: 68 38 2A 90 C5 0x12d5cb:$sqlite3blob: 68 53 D8 7F 8C 0x12d6f3:$sqlite3blob: 68 53 D8 7F 8C 0x1547eb:$sqlite3blob: 68 53 D8 7F 8C 0x154913:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.transferir copia_98087.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.basiclablife.com/8zdn/"], "decoy": ["yourherogarden.net", "onlineharambee.net", "cerrajeriaurgencias24horas.com", "distritoforex.com", "verifyclientserverssr.com", "dandwg.com", "co2-zero.global", "joshssl.com", "meckwt.com", "theammf.com", "rawclectic.com", "gzgnetwork.com", "richmondavenuecoc.com", "nicolelyte.com", "thetinyclosetboutique.com", "llt-group.net", "seven-sky-design.com", "joganifinancialgrp.com", "elementsvapes.com", "bingent.info", "quaichshop.net", "unethicalsgsblaw.com", "matts.digital", "lexafit.com", "covidwanderings.com", "pk972.com", "fanashaadivine.com", "winharadesigns.com", "adosignite.com", "goldengatesimmigration.com", "unazampanelcuore.com", "gasexecutive.com", "sdps365.net", "worthingtonminnesota.com", "ducatsupply.com", "beijinghui1.icu", "hn-bet.com", "homeforsalesteamboat.com", "tiaozaoxinlingshou.net", "mrbils.net", "depuitycollector.com", "winningovereating.com", "usedonlyrvs.com", "verbinoz.com", "threepocketmedia.com", "lizbing.com", "fivestardogfoods.com", "edevercal.net", "irisettelment.com", "beautyphernalia.com", "terrawindglobalprotection.net", "floridaindian.com", "kidzistore.com", "kulisbet117.com", "logingatech.info", "ftdk.net", "lawwise.legal", "bruthawar.com", "lemonpublishing.com", "6781529.com", "zfxsotc.com", "shroomsdrop.com", "ahm-app.com", "finesilversmith.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: transferir copia_98087.exe	Virustotal: Detection: 22%			Perma Link
Source: transferir copia_98087.exe	ReversingLabs: Detection: 12%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE

Source: 1.2.transferir copia_98087.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: transferir copia_98087.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: transferir copia_98087.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: msdt.pdbGCTL source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: transferir copia_98087.exe, 00000001.00000002.271679191.00000000019E0000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.483918470.0000000004950000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: transferir copia_98087.exe, msdt.exe
Source:	Binary string: msdt.pdb source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 4x nop then pop edi		1_2_004162C2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi		5_2_025262C2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.basiclablife.com/8zdn/

Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=SUc3155gDWt5wcoflZcZzViJ8x0waKhO+xEIOi+15/K5BoZoLZ14fR9wugBfYGntPchb&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.unazampanelcuore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=/2j9R2c14anpqf93w73dauHGA2TQKIR5Q7oZ32qrr3zEGdcNMDJzBydR7UkO3mu0OgLM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.floridaindian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=tcuwTISCal6Za70kmDoHryScybsdFOei7/WOW4uZGfRR2kwAWg6MdyjVPec/+BbHDhr0&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.quaichshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=VcGUHpmld1zswDwg40mcNwm1CX0p/o+pgHyf/FjbYLUTXfqCXvPFwiBdk0mlGpZRYzTf&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.basiclablife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=XOXl3Nuj7M9zcIBR6B45qltQ4dmo97Szsxf/DI8gOGgyBhu8HbEkl8wbqGipvTOnLwwM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.elementsvapes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hIXmrhUyU1aP5+vldRGL92fa8Yv5W8V1zdDiddkx2jBPb190TW7wCmtqgCRS1U4M3bOQ&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.hn-bet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.gasexecutive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.shroomsdrop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 46.23.69.44 46.23.69.44
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Source: Joe Sandbox View

ASN Name: UK2NET-ASGB UK2NET-ASGB

Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=SUc3155gDWt5wcoflZcZzViJ8x0waKhO+xEIOi+15/K5BoZoLZ14fR9wugBfYGntPchb&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.unazampanelcuore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=/2j9R2c14anpqf93w73dauHGA2TQKIR5Q7oZ32qrr3zEGdcNMDJzBydR7UkO3mu0OgLM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.floridaindian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=tcuwTISCal6Za70kmDoHryScybsdFOei7/WOW4uZGfRR2kwAWg6MdyjVPec/+BbHDhr0&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.quaichshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=VcGUHpmld1zswDwg40mcNwm1CX0p/o+pgHyf/FjbYLUTXfqCXvPFwiBdk0mlGpZRYzTf&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.basiclablife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=XOXl3Nuj7M9zcIBR6B45qltQ4dmo97Szsxf/DI8gOGgyBhu8HbEkl8wbqGipvTOnLwwM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.elementsvapes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hIXmrhUyU1aP5+vldRGL92fa8Yv5W8V1zdDiddkx2jBPb190TW7wCmtqgCRS1U4M3bOQ&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.hn-bet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.gasexecutive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.shroomsdrop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.unazampanelcuore.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 16:22:34 GMTContent-Type: text/htmlContent-Length: 498Connection: closeLast-Modified: Mon, 01 Dec 2014 15:09:45 GMTChimera-API-Server: api1.uk.chimera.uk2group.comX-Powered-By: Perl Dancer 1.3512Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 3c 70 3e 53 6f 72 72 79 2c 20 74 68 69 73 20 69 73 20 74 68 65 20 76 6f 69 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 50 6f 77 65 72 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 65 72 6c 64 61 6e 63 65 72 2e 6f 72 67 2f 22 3e 44 61 6e 63 65 72 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Error 404</title><link rel="stylesheet" href="/css/error.css" /><meta http-equiv="Content-type" content="text/html; charset=UTF-8" /></head><body><h1>Error 404</h1><div id="content"><h2>Page Not Found</h2><p>Sorry, this is the void.</p></div><div id="footer">Powered by <a href="http://perldancer.org/">Dancer</a></div></body></html>

Source: explorer.exe, 00000002.00000000.257307365.000000000F6E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: transferir copia_98087.exe	String found in binary or memory: http://qunect.com/download/QuNect.exe
Source: transferir copia_98087.exe	String found in binary or memory: http://qunect.com/download/QuNect.exeMOperation
Source: transferir copia_98087.exe	String found in binary or memory: http://validator.w3.org/check?uri=referer
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: transferir copia_98087.exe, 00000000.00000002.226153911.0000000001707000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comoj
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: transferir copia_98087.exe, 00000000.00000003.213165665.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comaN
Source: transferir copia_98087.exe, 00000000.00000003.213165665.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn6
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, transferir copia_98087.exe, 00000000.00000003.214660820.0000000005F6E000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: transferir copia_98087.exe, 00000000.00000003.214660820.0000000005F6E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn?
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: msdt.exe, 00000005.00000002.482494718.0000000002B17000.00000004.00000020.sdmp	String found in binary or memory: http://www.tiaozaoxinlingshou.net/8zdn/?kH=/eNJxuqSWy6YBrvXrJK0
Source: explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: transferir copia_98087.exe, 00000000.00000003.213582395.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comFa
Source: transferir copia_98087.exe, 00000000.00000003.213440315.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comj
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: transferir copia_98087.exe, 00000000.00000002.225323893.0000000001438000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004181C0 NtCreateFile,	1_2_004181C0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00418270 NtReadFile,	1_2_00418270
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004182F0 NtClose,	1_2_004182F0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,	1_2_004183A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00418212 NtReadFile,	1_2_00418212
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004182EF NtClose,	1_2_004182EF
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041839B NtAllocateVirtualMemory,	1_2_0041839B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A499A0 NtCreateSection,LdrInitializeThunk,	1_2_01A499A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A495D0 NtClose,LdrInitializeThunk,	1_2_01A495D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01A49910
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49540 NtReadFile,LdrInitializeThunk,	1_2_01A49540
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A498F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_01A498F0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01A49860
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49840 NtDelayExecution,LdrInitializeThunk,	1_2_01A49840
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A497A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_01A497A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01A49780
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49FE0 NtCreateMutant,LdrInitializeThunk,	1_2_01A49FE0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01A49710
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A496E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_01A496E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A20 NtResumeThread,LdrInitializeThunk,	1_2_01A49A20
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01A49A00
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01A49660
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A50 NtCreateFile,LdrInitializeThunk,	1_2_01A49A50
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A495F0 NtQueryInformationFile,	1_2_01A495F0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A499D0 NtCreateProcessEx,	1_2_01A499D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49520 NtWaitForSingleObject,	1_2_01A49520
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4AD30 NtSetContextThread,	1_2_01A4AD30
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49560 NtWriteFile,	1_2_01A49560
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49950 NtQueueApcThread,	1_2_01A49950
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A498A0 NtWriteVirtualMemory,	1_2_01A498A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49820 NtEnumerateKey,	1_2_01A49820
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4B040 NtSuspendThread,	1_2_01A4B040
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4A3B0 NtGetContextThread,	1_2_01A4A3B0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49730 NtQueryVirtualMemory,	1_2_01A49730
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49B00 NtSetValueKey,	1_2_01A49B00
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4A710 NtOpenProcessToken,	1_2_01A4A710
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49760 NtOpenProcess,	1_2_01A49760
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49770 NtSetInformationFile,	1_2_01A49770
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4A770 NtOpenThread,	1_2_01A4A770
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A80 NtOpenDirectoryObject,	1_2_01A49A80
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A496D0 NtCreateKey,	1_2_01A496D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49610 NtEnumerateValueKey,	1_2_01A49610
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A10 NtQuerySection,	1_2_01A49A10
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49670 NtQueryInformationProcess,	1_2_01A49670
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49650 NtQueryValueKey,	1_2_01A49650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B95D0 NtClose,LdrInitializeThunk,	5_2_049B95D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9540 NtReadFile,LdrInitializeThunk,	5_2_049B9540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B96D0 NtCreateKey,LdrInitializeThunk,	5_2_049B96D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B96E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_049B96E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9650 NtQueryValueKey,LdrInitializeThunk,	5_2_049B9650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_049B9660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9780 NtMapViewOfSection,LdrInitializeThunk,	5_2_049B9780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9FE0 NtCreateMutant,LdrInitializeThunk,	5_2_049B9FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9710 NtQueryInformationToken,LdrInitializeThunk,	5_2_049B9710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9840 NtDelayExecution,LdrInitializeThunk,	5_2_049B9840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_049B9860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B99A0 NtCreateSection,LdrInitializeThunk,	5_2_049B99A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_049B9910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A50 NtCreateFile,LdrInitializeThunk,	5_2_049B9A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B95F0 NtQueryInformationFile,	5_2_049B95F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BAD30 NtSetContextThread,	5_2_049BAD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9520 NtWaitForSingleObject,	5_2_049B9520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9560 NtWriteFile,	5_2_049B9560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9610 NtEnumerateValueKey,	5_2_049B9610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9670 NtQueryInformationProcess,	5_2_049B9670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B97A0 NtUnmapViewOfSection,	5_2_049B97A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BA710 NtOpenProcessToken,	5_2_049BA710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9730 NtQueryVirtualMemory,	5_2_049B9730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BA770 NtOpenThread,	5_2_049BA770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9770 NtSetInformationFile,	5_2_049B9770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9760 NtOpenProcess,	5_2_049B9760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B98A0 NtWriteVirtualMemory,	5_2_049B98A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B98F0 NtReadVirtualMemory,	5_2_049B98F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9820 NtEnumerateKey,	5_2_049B9820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BB040 NtSuspendThread,	5_2_049BB040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B99D0 NtCreateProcessEx,	5_2_049B99D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9950 NtQueueApcThread,	5_2_049B9950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A80 NtOpenDirectoryObject,	5_2_049B9A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A10 NtQuerySection,	5_2_049B9A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A00 NtProtectVirtualMemory,	5_2_049B9A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A20 NtResumeThread,	5_2_049B9A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BA3B0 NtGetContextThread,	5_2_049BA3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9B00 NtSetValueKey,	5_2_049B9B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02528270 NtReadFile,	5_2_02528270
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025282F0 NtClose,	5_2_025282F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025283A0 NtAllocateVirtualMemory,	5_2_025283A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025281C0 NtCreateFile,	5_2_025281C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02528212 NtReadFile,	5_2_02528212
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025282EF NtClose,	5_2_025282EF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252839B NtAllocateVirtualMemory,	5_2_0252839B

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_0308F371	0_2_0308F371
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_0308F380	0_2_0308F380
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_0308D0F4	0_2_0308D0F4
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_05A4F4F8	0_2_05A4F4F8
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_05A4B6A0	0_2_05A4B6A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_05A4C180	0_2_05A4C180
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041B984	1_2_0041B984
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041C220	1_2_0041C220
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041BC52	1_2_0041BC52
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00408C5B	1_2_00408C5B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041CC9E	1_2_0041CC9E
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041C537	1_2_0041C537
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041BE70	1_2_0041BE70
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041CF66	1_2_0041CF66
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041BF90	1_2_0041BF90
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32581	1_2_01A32581
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1D5E0	1_2_01A1D5E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD25DD	1_2_01AD25DD
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A00D20	1_2_01A00D20
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120	1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0F900	1_2_01A0F900
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD2D07	1_2_01AD2D07
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD1D55	1_2_01AD1D55
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0	1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD20A8	1_2_01AD20A8
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1B090	1_2_01A1B090
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD28EC	1_2_01AD28EC
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1002	1_2_01AC1002
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1841F	1_2_01A1841F
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3EBB0	1_2_01A3EBB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD1FF1	1_2_01AD1FF1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACDBD2	1_2_01ACDBD2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD2B28	1_2_01AD2B28
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD22AE	1_2_01AD22AE
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD2EF7	1_2_01AD2EF7
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A26E30	1_2_01A26E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496	5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498841F	5_2_0498841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3D466	5_2_04A3D466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2581	5_2_049A2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498D5E0	5_2_0498D5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A425DD	5_2_04A425DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A42D07	5_2_04A42D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04970D20	5_2_04970D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A41D55	5_2_04A41D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A42EF7	5_2_04A42EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04996E30	5_2_04996E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3D616	5_2_04A3D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A41FF1	5_2_04A41FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4DFCE	5_2_04A4DFCE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498B090	5_2_0498B090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A420A8	5_2_04A420A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0	5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A428EC	5_2_04A428EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4E824	5_2_04A4E824
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31002	5_2_04A31002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A830	5_2_0499A830
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF	5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497F900	5_2_0497F900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04994120	5_2_04994120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A422AE	5_2_04A422AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34AEF	5_2_04A34AEF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A2FA2B	5_2_04A2FA2B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AEBB0	5_2_049AEBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A223E3	5_2_04A223E3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AABD8	5_2_049AABD8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3DBD2	5_2_04A3DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A303DA	5_2_04A303DA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A42B28	5_2_04A42B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A309	5_2_0499A309
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AB40	5_2_0499AB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252B984	5_2_0252B984
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252CF66	5_2_0252CF66
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252BF90	5_2_0252BF90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02512FB0	5_2_02512FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02518C5B	5_2_02518C5B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02518C60	5_2_02518C60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252CC9E	5_2_0252CC9E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252C537	5_2_0252C537
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02512D90	5_2_02512D90

Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0497B150 appears 124 times
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: String function: 01A0B150 appears 35 times

Source: transferir copia_98087.exe, 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.225323893.0000000001438000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.233022672.0000000008EC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.232951484.0000000008E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.223882180.0000000000D24000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000001.00000000.223139596.0000000000FA4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000001.00000002.271869350.0000000001AFF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs transferir copia_98087.exe
Source: transferir copia_98087.exe	Binary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe

Source: transferir copia_98087.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: transferir copia_98087.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@12/9

Source: C:\Users\user\Desktop\transferir copia_98087.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferir copia_98087.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_01

Source: transferir copia_98087.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: transferir copia_98087.exe	Virustotal: Detection: 22%
Source: transferir copia_98087.exe	ReversingLabs: Detection: 12%

Source: unknown	Process created: C:\Users\user\Desktop\transferir copia_98087.exe 'C:\Users\user\Desktop\transferir copia_98087.exe'
Source: unknown	Process created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exe
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exe	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'	Jump to behavior

Source: C:\Users\user\Desktop\transferir copia_98087.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: transferir copia_98087.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report transferir copia_98087.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: