Play interactive tour

Edit tour

Analysis Report eQLPRPErea.exe

Overview

General Information

Sample Name:	eQLPRPErea.exe
Analysis ID:	383832
MD5:	2c64897aa30694cc768f5ea375157932
SHA1:	c897f37780a5237d5c330bcf2668745201b38ff5
SHA256:	18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

eQLPRPErea.exe (PID: 6876 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)

eQLPRPErea.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 6616 cmdline: /c del 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.eQLPRPErea.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.eQLPRPErea.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.eQLPRPErea.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
1.2.eQLPRPErea.exe.1eb20000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.eQLPRPErea.exe.1eb20000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.eQLPRPErea.exe.1eb20000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.1.eQLPRPErea.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.eQLPRPErea.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.eQLPRPErea.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.1.eQLPRPErea.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.eQLPRPErea.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.eQLPRPErea.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
3.2.eQLPRPErea.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.eQLPRPErea.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.eQLPRPErea.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4	Avira URL Cloud: Label: malware
Source: http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH	Avira URL Cloud: Label: malware
Source: http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Multi AV Scanner detection for submitted file

Show sources

Source: eQLPRPErea.exe	Virustotal: Detection: 28%			Perma Link
Source: eQLPRPErea.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 3.2.eQLPRPErea.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.wlanext.exe.8bf110.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.eQLPRPErea.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.wlanext.exe.3597960.5.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: eQLPRPErea.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: eQLPRPErea.exe, 00000001.00000003.692305861.000000001ECE0000.00000004.00000001.sdmp, eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: eQLPRPErea.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	1_2_0040531D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405CB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004026BC FindFirstFileA,	1_2_004026BC

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 4x nop then pop edi	3_2_004162B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 4x nop then pop edi	3_2_00415644
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 4x nop then pop edi	3_1_004162B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	9_2_008662B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	9_2_00865644

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.stone-master.info/aqu2/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.nagoyadoori.xyz

Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.biehnrecords.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 08:49:05 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 6d 72 61 63 6b 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.pmrack.com Port 80</address></body></html>

Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmp	String found in binary or memory: http://browsehappy.com/
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmp	String found in binary or memory: http://produkte.web.de/homepage-und-mail/homepage-parken/
Source: explorer.exe, 00000005.00000002.955671038.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404EBC

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004181D0 NtCreateFile,	3_2_004181D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00418280 NtReadFile,	3_2_00418280
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00418300 NtClose,	3_2_00418300
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004183B0 NtAllocateVirtualMemory,	3_2_004183B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004181CA NtCreateFile,	3_2_004181CA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041827A NtReadFile,	3_2_0041827A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004182FA NtClose,	3_2_004182FA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00AA98F0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00AA9860
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9840 NtDelayExecution,LdrInitializeThunk,	3_2_00AA9840
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA99A0 NtCreateSection,LdrInitializeThunk,	3_2_00AA99A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00AA9910
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A20 NtResumeThread,LdrInitializeThunk,	3_2_00AA9A20
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00AA9A00
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A50 NtCreateFile,LdrInitializeThunk,	3_2_00AA9A50
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA95D0 NtClose,LdrInitializeThunk,	3_2_00AA95D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9540 NtReadFile,LdrInitializeThunk,	3_2_00AA9540
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00AA96E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00AA9660
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00AA97A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00AA9780
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,	3_2_00AA9FE0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00AA9710
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA98A0 NtWriteVirtualMemory,	3_2_00AA98A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9820 NtEnumerateKey,	3_2_00AA9820
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAB040 NtSuspendThread,	3_2_00AAB040
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA99D0 NtCreateProcessEx,	3_2_00AA99D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9950 NtQueueApcThread,	3_2_00AA9950
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A80 NtOpenDirectoryObject,	3_2_00AA9A80
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A10 NtQuerySection,	3_2_00AA9A10
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAA3B0 NtGetContextThread,	3_2_00AAA3B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9B00 NtSetValueKey,	3_2_00AA9B00
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA95F0 NtQueryInformationFile,	3_2_00AA95F0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9520 NtWaitForSingleObject,	3_2_00AA9520
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAAD30 NtSetContextThread,	3_2_00AAAD30
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9560 NtWriteFile,	3_2_00AA9560
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA96D0 NtCreateKey,	3_2_00AA96D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9610 NtEnumerateValueKey,	3_2_00AA9610
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9670 NtQueryInformationProcess,	3_2_00AA9670
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9650 NtQueryValueKey,	3_2_00AA9650
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9730 NtQueryVirtualMemory,	3_2_00AA9730
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAA710 NtOpenProcessToken,	3_2_00AAA710
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9760 NtOpenProcess,	3_2_00AA9760
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9770 NtSetInformationFile,	3_2_00AA9770
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAA770 NtOpenThread,	3_2_00AAA770
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004181D0 NtCreateFile,	3_1_004181D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00418280 NtReadFile,	3_1_00418280
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00418300 NtClose,	3_1_00418300
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004183B0 NtAllocateVirtualMemory,	3_1_004183B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004181CA NtCreateFile,	3_1_004181CA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041827A NtReadFile,	3_1_0041827A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004182FA NtClose,	3_1_004182FA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A50 NtCreateFile,LdrInitializeThunk,	9_2_030C9A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_030C9910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C99A0 NtCreateSection,LdrInitializeThunk,	9_2_030C99A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9840 NtDelayExecution,LdrInitializeThunk,	9_2_030C9840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_030C9860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_030C9710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_030C9780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9FE0 NtCreateMutant,LdrInitializeThunk,	9_2_030C9FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9650 NtQueryValueKey,LdrInitializeThunk,	9_2_030C9650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_030C9660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C96D0 NtCreateKey,LdrInitializeThunk,	9_2_030C96D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_030C96E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9540 NtReadFile,LdrInitializeThunk,	9_2_030C9540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C95D0 NtClose,LdrInitializeThunk,	9_2_030C95D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9B00 NtSetValueKey,	9_2_030C9B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CA3B0 NtGetContextThread,	9_2_030CA3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A00 NtProtectVirtualMemory,	9_2_030C9A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A10 NtQuerySection,	9_2_030C9A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A20 NtResumeThread,	9_2_030C9A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A80 NtOpenDirectoryObject,	9_2_030C9A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9950 NtQueueApcThread,	9_2_030C9950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C99D0 NtCreateProcessEx,	9_2_030C99D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9820 NtEnumerateKey,	9_2_030C9820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CB040 NtSuspendThread,	9_2_030CB040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C98A0 NtWriteVirtualMemory,	9_2_030C98A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C98F0 NtReadVirtualMemory,	9_2_030C98F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CA710 NtOpenProcessToken,	9_2_030CA710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9730 NtQueryVirtualMemory,	9_2_030C9730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9760 NtOpenProcess,	9_2_030C9760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CA770 NtOpenThread,	9_2_030CA770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9770 NtSetInformationFile,	9_2_030C9770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C97A0 NtUnmapViewOfSection,	9_2_030C97A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9610 NtEnumerateValueKey,	9_2_030C9610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9670 NtQueryInformationProcess,	9_2_030C9670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9520 NtWaitForSingleObject,	9_2_030C9520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CAD30 NtSetContextThread,	9_2_030CAD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9560 NtWriteFile,	9_2_030C9560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C95F0 NtQueryInformationFile,	9_2_030C95F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008681D0 NtCreateFile,	9_2_008681D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00868280 NtReadFile,	9_2_00868280
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008683B0 NtAllocateVirtualMemory,	9_2_008683B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00868300 NtClose,	9_2_00868300
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008681CA NtCreateFile,	9_2_008681CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008682FA NtClose,	9_2_008682FA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086827A NtReadFile,	9_2_0086827A

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

1_2_00403166

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004046C3	1_2_004046C3
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004060D9	1_2_004060D9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004068B0	1_2_004068B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B869	3_2_0041B869
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041C07B	3_2_0041C07B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041C804	3_2_0041C804
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00401174	3_2_00401174
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B985	3_2_0041B985
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CB98	3_2_0041CB98
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00408C6B	3_2_00408C6B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00408C70	3_2_00408C70
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00408C2B	3_2_00408C2B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B4B3	3_2_0041B4B3
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041C58E	3_2_0041C58E
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041BE99	3_2_0041BE99
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CF43	3_2_0041CF43
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CF0C	3_2_0041CF0C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041BFD4	3_2_0041BFD4
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CFA2	3_2_0041CFA2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B320A8	3_2_00B320A8
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7B090	3_2_00A7B090
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21002	3_2_00B21002
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6F900	3_2_00A6F900
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9EBB0	3_2_00A9EBB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7841F	3_2_00A7841F
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92581	3_2_00A92581
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7D5E0	3_2_00A7D5E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A60D20	3_2_00A60D20
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B31D55	3_2_00B31D55
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A86E30	3_2_00A86E30
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041B869	3_1_0041B869
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041C07B	3_1_0041C07B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041C804	3_1_0041C804
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00401030	3_1_00401030
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00401174	3_1_00401174
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041B985	3_1_0041B985
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041CB98	3_1_0041CB98
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03152B28	9_2_03152B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BEBB0	9_2_030BEBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314DBD2	9_2_0314DBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031403DA	9_2_031403DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031522AE	9_2_031522AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308F900	9_2_0308F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03141002	9_2_03141002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0315E824	9_2_0315E824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309B090	9_2_0309B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031520A8	9_2_031520A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031528EC	9_2_031528EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0315DFCE	9_2_0315DFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03151FF1	9_2_03151FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314D616	9_2_0314D616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A6E30	9_2_030A6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03152EF7	9_2_03152EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03152D07	9_2_03152D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03080D20	9_2_03080D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03151D55	9_2_03151D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2581	9_2_030B2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031525DD	9_2_031525DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309D5E0	9_2_0309D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309841F	9_2_0309841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314D466	9_2_0314D466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086C804	9_2_0086C804
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086CB98	9_2_0086CB98
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00858C2B	9_2_00858C2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00858C6B	9_2_00858C6B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00858C70	9_2_00858C70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086C58E	9_2_0086C58E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00852D90	9_2_00852D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086CFA0	9_2_0086CFA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00852FB0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report eQLPRPErea.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: