Play interactive tour

Edit tour

Analysis Report hvEop8Y70Y.exe

Overview

General Information

Sample Name:	hvEop8Y70Y.exe
Analysis ID:	383848
MD5:	bd7e988ed1d92f9faf32f6a817d89329
SHA1:	4ab28bec26ad120653ca060a4c735befded7551e
SHA256:	94b77677478f890b5f9e0561aebc0f66b1b2fc4494d016e9b5a70ed0ba20980b
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

hvEop8Y70Y.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\hvEop8Y70Y.exe' MD5: BD7E988ED1D92F9FAF32F6A817D89329)

hvEop8Y70Y.exe (PID: 6668 cmdline: C:\Users\user\Desktop\hvEop8Y70Y.exe MD5: BD7E988ED1D92F9FAF32F6A817D89329)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

raserver.exe (PID: 3536 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)

cmd.exe (PID: 6776 cmdline: /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x81c38:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x81fc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa8e58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa91e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8dcd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb4ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8d7c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb49e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ddd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb4ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8df4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb516f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x829da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa9bfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8ca3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3c5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x83752:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xaa972:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x92dc7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xb9fe7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x93e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8fcf9:$sqlite3step: 68 34 1C 7B E1 0x8fe0c:$sqlite3step: 68 34 1C 7B E1 0xb6f19:$sqlite3step: 68 34 1C 7B E1 0xb702c:$sqlite3step: 68 34 1C 7B E1 0x8fd28:$sqlite3text: 68 38 2A 90 C5 0x8fe4d:$sqlite3text: 68 38 2A 90 C5 0xb6f48:$sqlite3text: 68 38 2A 90 C5 0xb706d:$sqlite3text: 68 38 2A 90 C5 0x8fd3b:$sqlite3blob: 68 53 D8 7F 8C 0x8fe63:$sqlite3blob: 68 53 D8 7F 8C 0xb6f5b:$sqlite3blob: 68 53 D8 7F 8C 0xb7083:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: hvEop8Y70Y.exe PID: 6364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.hvEop8Y70Y.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.hvEop8Y70Y.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.hvEop8Y70Y.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158a9:$sqlite3step: 68 34 1C 7B E1 0x159bc:$sqlite3step: 68 34 1C 7B E1 0x158d8:$sqlite3text: 68 38 2A 90 C5 0x159fd:$sqlite3text: 68 38 2A 90 C5 0x158eb:$sqlite3blob: 68 53 D8 7F 8C 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
0.2.hvEop8Y70Y.exe.2f43d44.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
4.2.hvEop8Y70Y.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.hvEop8Y70Y.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.hvEop8Y70Y.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 2 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: hvEop8Y70Y.exe

Avira: detected

Found malware configuration

Show sources

Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: hvEop8Y70Y.exe	Virustotal: Detection: 25%			Perma Link
Source: hvEop8Y70Y.exe	ReversingLabs: Detection: 29%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Show sources

Source: hvEop8Y70Y.exe

Joe Sandbox ML: detected

Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: hvEop8Y70Y.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: hvEop8Y70Y.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: hvEop8Y70Y.exe, 00000004.00000002.312279182.00000000014B0000.00000040.00000001.sdmp, raserver.exe, 0000000E.00000002.509423103.000000000459F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: hvEop8Y70Y.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02D6158F
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02D615A0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_075DFA88
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4x nop then pop edi	4_2_00416277
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop edi	14_2_00396277

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.okitmall.com/iu4d/

Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1Host: www.runcouver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1Host: www.aa29996.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.ux300e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1Host: www.mvprunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1Host: www.getboostphlo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1Host: www.cqsjny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1Host: www.yashaerotech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View	IP Address: 15.165.26.252 15.165.26.252

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1Host: www.runcouver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1Host: www.aa29996.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.ux300e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1Host: www.mvprunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1Host: www.getboostphlo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1Host: www.cqsjny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1Host: www.yashaerotech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.runcouver.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:05:22 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeSet-Cookie: __cfduid=dfb3971d4184d632d73a1908cbee311771617872722; expires=Sat, 08-May-21 09:05:22 GMT; path=/; domain=.getboostphlo.com; HttpOnly; SameSite=LaxCF-Cache-Status: DYNAMICcf-request-id: 095253b1640000a8c13d238000000001Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2F802H7kHqNcGEaM19LIsT0HTjHrjpPBTypNS7vtOf80a0axYnOpC46oJeo%2FijRhoiKFT5as3D5%2FwxLegLD2FcS%2FMFN%2BWUhKGAQQySsVBK6%2BbwWISsw%3D%3D"}],"group":"cf-nel"}NEL: {"max_age":604800,"report_to":"cf-nel"}Server: cloudflareCF-RAY: 63ca55623926a8c1-CDGalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 75 34 64 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /iu4d/ was not found on this server.</p></body></html>

Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: hvEop8Y70Y.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: hvEop8Y70Y.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.246364868.0000000005DCD000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: hvEop8Y70Y.exe, 00000000.00000002.266638944.0000000005DC0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comX
Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comcj
Source: hvEop8Y70Y.exe, 00000000.00000003.238491766.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comic
Source: hvEop8Y70Y.exe, 00000000.00000003.238413554.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: hvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/Li
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: hvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/omh#?oy
Source: hvEop8Y70Y.exe, 00000000.00000003.240642231.0000000005DFD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/6#
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G#Por
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/L#Ko
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/aali
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ana
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/h#wo0
Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/rpor
Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comte
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: hvEop8Y70Y.exe, 00000000.00000003.240127889.0000000005DC9000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krndo
Source: explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: hvEop8Y70Y.exe, 00000000.00000003.239195731.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com2
Source: hvEop8Y70Y.exe, 00000000.00000003.238931392.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comI
Source: hvEop8Y70Y.exe, 00000000.00000003.239146242.0000000005DDB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comc
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D6D78 NtQueryInformationProcess,	0_2_075D6D78
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D6D70 NtQueryInformationProcess,	0_2_075D6D70
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_004181B0 NtCreateFile,	4_2_004181B0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00418260 NtReadFile,	4_2_00418260
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_004182E0 NtClose,	4_2_004182E0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00418390 NtAllocateVirtualMemory,	4_2_00418390
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_01519910
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015199A0 NtCreateSection,LdrInitializeThunk,	4_2_015199A0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519840 NtDelayExecution,LdrInitializeThunk,	4_2_01519840
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01519860
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,	4_2_015198F0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519A50 NtCreateFile,LdrInitializeThunk,	4_2_01519A50
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_01519A00
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519A20 NtResumeThread,LdrInitializeThunk,	4_2_01519A20
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519540 NtReadFile,LdrInitializeThunk,	4_2_01519540
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015195D0 NtClose,LdrInitializeThunk,	4_2_015195D0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519710 NtQueryInformationToken,LdrInitializeThunk,	4_2_01519710
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519FE0 NtCreateMutant,LdrInitializeThunk,	4_2_01519FE0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519780 NtMapViewOfSection,LdrInitializeThunk,	4_2_01519780
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_015197A0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01519660
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_015196E0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519950 NtQueueApcThread,	4_2_01519950
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015199D0 NtCreateProcessEx,	4_2_015199D0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0151B040 NtSuspendThread,	4_2_0151B040
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519820 NtEnumerateKey,	4_2_01519820
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015198A0 NtWriteVirtualMemory,	4_2_015198A0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519B00 NtSetValueKey,	4_2_01519B00
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0151A3B0 NtGetContextThread,	4_2_0151A3B0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519A10 NtQuerySection,	4_2_01519A10
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519A80 NtOpenDirectoryObject,	4_2_01519A80
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519560 NtWriteFile,	4_2_01519560
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0151AD30 NtSetContextThread,	4_2_0151AD30
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519520 NtWaitForSingleObject,	4_2_01519520
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015195F0 NtQueryInformationFile,	4_2_015195F0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0151A770 NtOpenThread,	4_2_0151A770
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519770 NtSetInformationFile,	4_2_01519770
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519760 NtOpenProcess,	4_2_01519760
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0151A710 NtOpenProcessToken,	4_2_0151A710
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519730 NtQueryVirtualMemory,	4_2_01519730
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519650 NtQueryValueKey,	4_2_01519650
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519670 NtQueryInformationProcess,	4_2_01519670
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01519610 NtEnumerateValueKey,	4_2_01519610
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015196D0 NtCreateKey,	4_2_015196D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9840 NtDelayExecution,LdrInitializeThunk,	14_2_044E9840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_044E9860
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9540 NtReadFile,LdrInitializeThunk,	14_2_044E9540
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_044E9910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E95D0 NtClose,LdrInitializeThunk,	14_2_044E95D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E99A0 NtCreateSection,LdrInitializeThunk,	14_2_044E99A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9650 NtQueryValueKey,LdrInitializeThunk,	14_2_044E9650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9A50 NtCreateFile,LdrInitializeThunk,	14_2_044E9A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_044E9660
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E96D0 NtCreateKey,LdrInitializeThunk,	14_2_044E96D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_044E96E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9710 NtQueryInformationToken,LdrInitializeThunk,	14_2_044E9710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9FE0 NtCreateMutant,LdrInitializeThunk,	14_2_044E9FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9780 NtMapViewOfSection,LdrInitializeThunk,	14_2_044E9780
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044EB040 NtSuspendThread,	14_2_044EB040
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9820 NtEnumerateKey,	14_2_044E9820
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E98F0 NtReadVirtualMemory,	14_2_044E98F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E98A0 NtWriteVirtualMemory,	14_2_044E98A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9950 NtQueueApcThread,	14_2_044E9950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9560 NtWriteFile,	14_2_044E9560
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9520 NtWaitForSingleObject,	14_2_044E9520
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044EAD30 NtSetContextThread,	14_2_044EAD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E99D0 NtCreateProcessEx,	14_2_044E99D0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E95F0 NtQueryInformationFile,	14_2_044E95F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9670 NtQueryInformationProcess,	14_2_044E9670
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9A00 NtProtectVirtualMemory,	14_2_044E9A00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9610 NtEnumerateValueKey,	14_2_044E9610
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9A10 NtQuerySection,	14_2_044E9A10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9A20 NtResumeThread,	14_2_044E9A20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9A80 NtOpenDirectoryObject,	14_2_044E9A80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9760 NtOpenProcess,	14_2_044E9760
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9770 NtSetInformationFile,	14_2_044E9770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044EA770 NtOpenThread,	14_2_044EA770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9B00 NtSetValueKey,	14_2_044E9B00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044EA710 NtOpenProcessToken,	14_2_044EA710
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E9730 NtQueryVirtualMemory,	14_2_044E9730
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044E97A0 NtUnmapViewOfSection,	14_2_044E97A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044EA3B0 NtGetContextThread,	14_2_044EA3B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_003981B0 NtCreateFile,	14_2_003981B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_00398260 NtReadFile,	14_2_00398260
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_003982E0 NtClose,	14_2_003982E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_00398390 NtAllocateVirtualMemory,	14_2_00398390

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_008BA9EA	0_2_008BA9EA
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_008BDCE7	0_2_008BDCE7
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_008BE078	0_2_008BE078
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_02CFC2B0	0_2_02CFC2B0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_02CF9990	0_2_02CF9990
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_02D61830	0_2_02D61830
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_02D60448	0_2_02D60448
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D5360	0_2_075D5360
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075DBF98	0_2_075DBF98
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D2060	0_2_075D2060
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D78F8	0_2_075D78F8
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D534F	0_2_075D534F
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D1378	0_2_075D1378
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D2B60	0_2_075D2B60
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D8B10	0_2_075D8B10
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D2B29	0_2_075D2B29
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D8B20	0_2_075D8B20
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D1BD8	0_2_075D1BD8
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D8FF2	0_2_075D8FF2
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D1BE8	0_2_075D1BE8
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D1388	0_2_075D1388
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D1E48	0_2_075D1E48
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D1E38	0_2_075D1E38
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D7E30	0_2_075D7E30
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D19B0	0_2_075D19B0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D19A0	0_2_075D19A0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D2050	0_2_075D2050
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D0810	0_2_075D0810
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D0801	0_2_075D0801
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D9000	0_2_075D9000
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D78F4	0_2_075D78F4
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_075D78AA	0_2_075D78AA
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_008BAAC7	0_2_008BAAC7
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 0_2_008BAA54	0_2_008BAA54
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0041B960	4_2_0041B960
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0041C212	4_2_0041C212
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0041CB21	4_2_0041CB21
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00408C50	4_2_00408C50
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0041B493	4_2_0041B493
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00402D88	4_2_00402D88
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0041CE0C	4_2_0041CE0C
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0041CF16	4_2_0041CF16
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_009AE078	4_2_009AE078
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_009AA9EA	4_2_009AA9EA
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_009ADCE7	4_2_009ADCE7
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014DF900	4_2_014DF900
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014F4120	4_2_014F4120
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01591002	4_2_01591002
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A28EC	4_2_015A28EC
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014EB090	4_2_014EB090
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015020A0	4_2_015020A0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A20A8	4_2_015A20A8
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A2B28	4_2_015A2B28
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0159DBD2	4_2_0159DBD2
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0150EBB0	4_2_0150EBB0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A22AE	4_2_015A22AE
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A1D55	4_2_015A1D55
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A2D07	4_2_015A2D07
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014D0D20	4_2_014D0D20
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A25DD	4_2_015A25DD
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014ED5E0	4_2_014ED5E0
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_01502581	4_2_01502581
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0159D466	4_2_0159D466
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014E841F	4_2_014E841F
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A1FF1	4_2_015A1FF1
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_0159D616	4_2_0159D616
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_014F6E30	4_2_014F6E30
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_015A2EF7	4_2_015A2EF7
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_009AAA54	4_2_009AAA54
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: 4_2_009AAAC7	4_2_009AAAC7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_0456D466	14_2_0456D466
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_04561002	14_2_04561002
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044B841F	14_2_044B841F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_045728EC	14_2_045728EC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044BB090	14_2_044BB090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044D20A0	14_2_044D20A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_045720A8	14_2_045720A8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_04571D55	14_2_04571D55
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044AF900	14_2_044AF900
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_04572D07	14_2_04572D07
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044A0D20	14_2_044A0D20
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044C4120	14_2_044C4120
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_045725DD	14_2_045725DD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044BD5E0	14_2_044BD5E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044D2581	14_2_044D2581
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044C6E30	14_2_044C6E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_04572EF7	14_2_04572EF7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_045722AE	14_2_045722AE
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_04572B28	14_2_04572B28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_0456DBD2	14_2_0456DBD2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_04571FF1	14_2_04571FF1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_044DEBB0	14_2_044DEBB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_0039CB21	14_2_0039CB21
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_00388C50	14_2_00388C50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_00382D90	14_2_00382D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_00382D88	14_2_00382D88
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_0039CE0C	14_2_0039CE0C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_0039CF16	14_2_0039CF16
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 14_2_00382FB0	14_2_00382FB0

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Code function: String function: 014DB150 appears 35 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 044AB150 appears 35 times

Source: hvEop8Y70Y.exe, 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe, 00000000.00000000.234604097.0000000000952000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe, 00000000.00000002.272029106.0000000008BE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe, 00000004.00000002.310678097.0000000000A42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe, 00000004.00000002.311914487.0000000001253000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameraserver.exej% vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe, 00000004.00000002.312736573.000000000175F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hvEop8Y70Y.exe
Source: hvEop8Y70Y.exe	Binary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe

Source: hvEop8Y70Y.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: hvEop8Y70Y.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@12/7

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hvEop8Y70Y.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Mutant created: \Sessions\1\BaseNamedObjects\TItEGneTqYuzerdV
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01

Source: hvEop8Y70Y.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: hvEop8Y70Y.exe	Virustotal: Detection: 25%
Source: hvEop8Y70Y.exe	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\hvEop8Y70Y.exe 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Process created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hvEop8Y70Y.exe	Process created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exe	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'	Jump to behavior

Source: C:\Users\user\Desktop\hvEop8Y70Y.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: hvEop8Y70Y.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hvEop8Y70Y.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: hvEop8Y70Y.exe, 00000004.00000002.312279182.00000000014B0000.00000040.00000001.sdmp, raserver.exe, 0000000E.00000002.509423103.000000000459F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: hvEop8Y70Y.exe, raserver.exe
Source:	Binary string: RAServer.pdb source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
Source:	Binary string: RAServer.pdbGCTL source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report hvEop8Y70Y.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation: