Play interactive tour

Edit tour

Analysis Report AQJEKNHnWK.exe

Overview

General Information

Sample Name:	AQJEKNHnWK.exe
Analysis ID:	383851
MD5:	5d8702803555ff684424ebd13eda9f47
SHA1:	f8b1197457782ba958fc7178fb838119c8138374
SHA256:	f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

AQJEKNHnWK.exe (PID: 1724 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)

AQJEKNHnWK.exe (PID: 4772 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

explorer.exe (PID: 1156 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

cmd.exe (PID: 5560 cmdline: /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.AQJEKNHnWK.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.AQJEKNHnWK.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.AQJEKNHnWK.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
1.1.AQJEKNHnWK.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.AQJEKNHnWK.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.AQJEKNHnWK.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
1.2.AQJEKNHnWK.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.AQJEKNHnWK.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.AQJEKNHnWK.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
1.1.AQJEKNHnWK.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.AQJEKNHnWK.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.AQJEKNHnWK.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
0.2.AQJEKNHnWK.exe.1eef0000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.AQJEKNHnWK.exe.1eef0000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.AQJEKNHnWK.exe.1eef0000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll

ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: AQJEKNHnWK.exe	Virustotal: Detection: 18%			Perma Link
Source: AQJEKNHnWK.exe	ReversingLabs: Detection: 35%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

Source: 7.2.explorer.exe.2d564d0.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 7.2.explorer.exe.4e47960.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: AQJEKNHnWK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: explorer.pdbUGP source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: AQJEKNHnWK.exe, 00000000.00000003.210067388.000000001F0E0000.00000004.00000001.sdmp, AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: AQJEKNHnWK.exe, explorer.exe
Source:	Binary string: explorer.pdb source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	0_2_00405301
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	0_2_00405C94
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 0_2_004026BC FindFirstFileA,	0_2_004026BC

Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 4x nop then pop edi	1_2_0040C3C1
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 4x nop then pop edi	1_1_0040C3C1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	7_2_004EC3C1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.th0rgramm.com/hx3a/

Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 23.227.38.74 23.227.38.74

Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: WEBHOST1-ASRU WEBHOST1-ASRU

Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.rainbowsdepot.com

Source: explorer.exe, 00000004.00000000.241718690.00000000089FD000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmp	String found in binary or memory: http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmA
Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmp	String found in binary or memory: http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmp	String found in binary or memory: http://www.formula-kuhni.com/eIm#
Source: explorer.exe, 00000007.00000002.472169147.0000000002DCF000.00000004.00000020.sdmp	String found in binary or memory: http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nf
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\AQJEKNHnWK.exe

Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EA0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_004181C0 NtCreateFile,	1_2_004181C0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00418270 NtReadFile,	1_2_00418270
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_004182F0 NtClose,	1_2_004182F0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,	1_2_004183A0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_004182EA NtClose,	1_2_004182EA
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0041839A NtAllocateVirtualMemory,	1_2_0041839A
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00AA98F0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00AA9860
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9840 NtDelayExecution,LdrInitializeThunk,	1_2_00AA9840
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA99A0 NtCreateSection,LdrInitializeThunk,	1_2_00AA99A0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00AA9910
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9A20 NtResumeThread,LdrInitializeThunk,	1_2_00AA9A20
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00AA9A00
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9A50 NtCreateFile,LdrInitializeThunk,	1_2_00AA9A50
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA95D0 NtClose,LdrInitializeThunk,	1_2_00AA95D0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9540 NtReadFile,LdrInitializeThunk,	1_2_00AA9540
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00AA96E0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00AA9660
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00AA97A0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00AA9780
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,	1_2_00AA9FE0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00AA9710
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA98A0 NtWriteVirtualMemory,	1_2_00AA98A0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9820 NtEnumerateKey,	1_2_00AA9820
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AAB040 NtSuspendThread,	1_2_00AAB040
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA99D0 NtCreateProcessEx,	1_2_00AA99D0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9950 NtQueueApcThread,	1_2_00AA9950
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9A80 NtOpenDirectoryObject,	1_2_00AA9A80
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9A10 NtQuerySection,	1_2_00AA9A10
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AAA3B0 NtGetContextThread,	1_2_00AAA3B0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9B00 NtSetValueKey,	1_2_00AA9B00
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA95F0 NtQueryInformationFile,	1_2_00AA95F0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9520 NtWaitForSingleObject,	1_2_00AA9520
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AAAD30 NtSetContextThread,	1_2_00AAAD30
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9560 NtWriteFile,	1_2_00AA9560
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA96D0 NtCreateKey,	1_2_00AA96D0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9610 NtEnumerateValueKey,	1_2_00AA9610
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9670 NtQueryInformationProcess,	1_2_00AA9670
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9650 NtQueryValueKey,	1_2_00AA9650
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9730 NtQueryVirtualMemory,	1_2_00AA9730
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AAA710 NtOpenProcessToken,	1_2_00AAA710
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9760 NtOpenProcess,	1_2_00AA9760
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AA9770 NtSetInformationFile,	1_2_00AA9770
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00AAA770 NtOpenThread,	1_2_00AAA770
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_004181C0 NtCreateFile,	1_1_004181C0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_00418270 NtReadFile,	1_1_00418270
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_004182F0 NtClose,	1_1_004182F0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_004183A0 NtAllocateVirtualMemory,	1_1_004183A0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_004182EA NtClose,	1_1_004182EA
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_0041839A NtAllocateVirtualMemory,	1_1_0041839A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049795D0 NtClose,LdrInitializeThunk,	7_2_049795D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979540 NtReadFile,LdrInitializeThunk,	7_2_04979540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049796D0 NtCreateKey,LdrInitializeThunk,	7_2_049796D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049796E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_049796E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979650 NtQueryValueKey,LdrInitializeThunk,	7_2_04979650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04979660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979780 NtMapViewOfSection,LdrInitializeThunk,	7_2_04979780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979FE0 NtCreateMutant,LdrInitializeThunk,	7_2_04979FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979710 NtQueryInformationToken,LdrInitializeThunk,	7_2_04979710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979840 NtDelayExecution,LdrInitializeThunk,	7_2_04979840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04979860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049799A0 NtCreateSection,LdrInitializeThunk,	7_2_049799A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_04979910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979A50 NtCreateFile,LdrInitializeThunk,	7_2_04979A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049795F0 NtQueryInformationFile,	7_2_049795F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0497AD30 NtSetContextThread,	7_2_0497AD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979520 NtWaitForSingleObject,	7_2_04979520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979560 NtWriteFile,	7_2_04979560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979610 NtEnumerateValueKey,	7_2_04979610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979670 NtQueryInformationProcess,	7_2_04979670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049797A0 NtUnmapViewOfSection,	7_2_049797A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0497A710 NtOpenProcessToken,	7_2_0497A710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979730 NtQueryVirtualMemory,	7_2_04979730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0497A770 NtOpenThread,	7_2_0497A770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979770 NtSetInformationFile,	7_2_04979770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979760 NtOpenProcess,	7_2_04979760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049798A0 NtWriteVirtualMemory,	7_2_049798A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049798F0 NtReadVirtualMemory,	7_2_049798F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979820 NtEnumerateKey,	7_2_04979820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0497B040 NtSuspendThread,	7_2_0497B040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049799D0 NtCreateProcessEx,	7_2_049799D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979950 NtQueueApcThread,	7_2_04979950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979A80 NtOpenDirectoryObject,	7_2_04979A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979A10 NtQuerySection,	7_2_04979A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979A00 NtProtectVirtualMemory,	7_2_04979A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979A20 NtResumeThread,	7_2_04979A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0497A3B0 NtGetContextThread,	7_2_0497A3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04979B00 NtSetValueKey,	7_2_04979B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004F81C0 NtCreateFile,	7_2_004F81C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004F8270 NtReadFile,	7_2_004F8270
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004F82F0 NtClose,	7_2_004F82F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004F83A0 NtAllocateVirtualMemory,	7_2_004F83A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004F82EA NtClose,	7_2_004F82EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004F839A NtAllocateVirtualMemory,	7_2_004F839A

Source: C:\Users\user\Desktop\AQJEKNHnWK.exe

Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040314A

Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 0_2_004046A7	0_2_004046A7
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0040102C	1_2_0040102C
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0041B881	1_2_0041B881
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0041C10F	1_2_0041C10F
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0041A2A6	1_2_0041A2A6
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0041BC41	1_2_0041BC41
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00408C5C	1_2_00408C5C
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00408C60	1_2_00408C60
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_0041CEF6	1_2_0041CEF6
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A920A0	1_2_00A920A0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B320A8	1_2_00B320A8
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A7B090	1_2_00A7B090
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B328EC	1_2_00B328EC
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B3E824	1_2_00B3E824
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B21002	1_2_00B21002
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A84120	1_2_00A84120
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A6F900	1_2_00A6F900
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B322AE	1_2_00B322AE
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A9EBB0	1_2_00A9EBB0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B2DBD2	1_2_00B2DBD2
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B203DA	1_2_00B203DA
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B32B28	1_2_00B32B28
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A7841F	1_2_00A7841F
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B2D466	1_2_00B2D466
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A92581	1_2_00A92581
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A7D5E0	1_2_00A7D5E0
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B325DD	1_2_00B325DD
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A60D20	1_2_00A60D20
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B32D07	1_2_00B32D07
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B31D55	1_2_00B31D55
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B32EF7	1_2_00B32EF7
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00A86E30	1_2_00A86E30
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B2D616	1_2_00B2D616
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B31FF1	1_2_00B31FF1
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_2_00B3DFCE	1_2_00B3DFCE
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_0040102C	1_1_0040102C
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_0041B881	1_1_0041B881
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_0041C10F	1_1_0041C10F
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_0041A2A6	1_1_0041A2A6
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_0041BC41	1_1_0041BC41
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_00408C5C	1_1_00408C5C
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: 1_1_00408C60	1_1_00408C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0494841F	7_2_0494841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049FD466	7_2_049FD466
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04962581	7_2_04962581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0494D5E0	7_2_0494D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A025DD	7_2_04A025DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A02D07	7_2_04A02D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04930D20	7_2_04930D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A01D55	7_2_04A01D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A02EF7	7_2_04A02EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049FD616	7_2_049FD616
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04956E30	7_2_04956E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A01FF1	7_2_04A01FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0494B090	7_2_0494B090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A020A8	7_2_04A020A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049620A0	7_2_049620A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A028EC	7_2_04A028EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049F1002	7_2_049F1002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0493F900	7_2_0493F900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04954120	7_2_04954120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A022AE	7_2_04A022AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_0496EBB0	7_2_0496EBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_049FDBD2	7_2_049FDBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_04A02B28	7_2_04A02B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004FA2A6	7_2_004FA2A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004E8C5C	7_2_004E8C5C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004E8C60	7_2_004E8C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004E2D90	7_2_004E2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004FCEF6	7_2_004FCEF6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 7_2_004E2FB0	7_2_004E2FB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll 6C4628D2A5D9FE67953D21A7AB0FF49BAC94B69FB32B5A1FA94AE8CB71A4D693

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0493B150 appears 35 times
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: String function: 00419F70 appears 34 times
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: String function: 0041A0A0 appears 50 times
Source: C:\Users\user\Desktop\AQJEKNHnWK.exe	Code function: String function: 00A6B150 appears 35 times

Source: AQJEKNHnWK.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: AQJEKNHnWK.exe, 00000000.00000003.207038845.000000001F036000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
Source: AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
Source: AQJEKNHnWK.exe, 00000001.00000002.257477540.0000000002A0E000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs AQJEKNHnWK.exe

Source: AQJEKNHnWK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY

Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brough

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AQJEKNHnWK.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: