Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
Analysis ID:383905
MD5:665cb19601850467af3ee7d9fd0e0350
SHA1:8ac40ef9fa5100a39b14258d8d8e562cefd7202c
SHA256:f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 665CB19601850467AF3EE7D9FD0E0350)
    • PO.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 665CB19601850467AF3EE7D9FD0E0350)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 3980 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 1320 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dllReversingLabs: Detection: 10%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 10.2.explorer.exe.51af834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.PO.exe.2670000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, explorer.exe
          Source: Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
          Source: Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop ebx1_2_00407AFA
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop edi1_2_00416CA5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx10_2_00897AFB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi10_2_008A6CA5

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.c-voyageinc.com/r4ei/
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: C:\Windows\explorer.exeCode function: 3_2_06D537A2 getaddrinfo,setsockopt,recv,3_2_06D537A2
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cwyxonlp.icu
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:10:12 GMTServer: ApacheContent-Length: 269Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 65 62 73 69 74 65 77 6f 72 6c 64 61 2d 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.websiteworlda-z.com Port 80</address></body></html>
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000A.00000002.504257510.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://phorice.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041A060 NtClose,1_2_0041A060
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041A110 NtAllocateVirtualMemory,1_2_0041A110
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F30 NtCreateFile,1_2_00419F30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419FE0 NtReadFile,1_2_00419FE0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F2B NtCreateFile,1_2_00419F2B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419FDA NtReadFile,1_2_00419FDA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F82 NtReadFile,1_2_00419F82
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A798F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A79860
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,1_2_00A79840
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,1_2_00A799A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A79910
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,1_2_00A79A20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A79A00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,1_2_00A79A50
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,1_2_00A795D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,1_2_00A79540
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A796E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A79660
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A797A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A79780
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A79710
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,1_2_00A798A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79820 NtEnumerateKey,1_2_00A79820
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B040 NtSuspendThread,1_2_00A7B040
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A799D0 NtCreateProcessEx,1_2_00A799D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79950 NtQueueApcThread,1_2_00A79950
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A80 NtOpenDirectoryObject,1_2_00A79A80
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A10 NtQuerySection,1_2_00A79A10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7A3B0 NtGetContextThread,1_2_00A7A3B0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79B00 NtSetValueKey,1_2_00A79B00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A795F0 NtQueryInformationFile,1_2_00A795F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79520 NtWaitForSingleObject,1_2_00A79520
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7AD30 NtSetContextThread,1_2_00A7AD30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79560 NtWriteFile,1_2_00A79560
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A796D0 NtCreateKey,1_2_00A796D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79610 NtEnumerateValueKey,1_2_00A79610
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79670 NtQueryInformationProcess,1_2_00A79670
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79650 NtQueryValueKey,1_2_00A79650
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79FE0 NtCreateMutant,1_2_00A79FE0
          Source: C:\Windows\explorer.exeCode function: 3_2_06D52A52 NtCreateFile,3_2_06D52A52
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9840 NtDelayExecution,LdrInitializeThunk,10_2_04CE9840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04CE9860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE95D0 NtClose,LdrInitializeThunk,10_2_04CE95D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE99A0 NtCreateSection,LdrInitializeThunk,10_2_04CE99A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9540 NtReadFile,LdrInitializeThunk,10_2_04CE9540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04CE9910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE96D0 NtCreateKey,LdrInitializeThunk,10_2_04CE96D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04CE96E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9650 NtQueryValueKey,LdrInitializeThunk,10_2_04CE9650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A50 NtCreateFile,LdrInitializeThunk,10_2_04CE9A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04CE9660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk,10_2_04CE9FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk,10_2_04CE9780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk,10_2_04CE9710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE98F0 NtReadVirtualMemory,10_2_04CE98F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE98A0 NtWriteVirtualMemory,10_2_04CE98A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEB040 NtSuspendThread,10_2_04CEB040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9820 NtEnumerateKey,10_2_04CE9820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE99D0 NtCreateProcessEx,10_2_04CE99D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE95F0 NtQueryInformationFile,10_2_04CE95F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9950 NtQueueApcThread,10_2_04CE9950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9560 NtWriteFile,10_2_04CE9560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9520 NtWaitForSingleObject,10_2_04CE9520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEAD30 NtSetContextThread,10_2_04CEAD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A80 NtOpenDirectoryObject,10_2_04CE9A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9670 NtQueryInformationProcess,10_2_04CE9670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A00 NtProtectVirtualMemory,10_2_04CE9A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9610 NtEnumerateValueKey,10_2_04CE9610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A10 NtQuerySection,10_2_04CE9A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A20 NtResumeThread,10_2_04CE9A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE97A0 NtUnmapViewOfSection,10_2_04CE97A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEA3B0 NtGetContextThread,10_2_04CEA3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9760 NtOpenProcess,10_2_04CE9760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9770 NtSetInformationFile,10_2_04CE9770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEA770 NtOpenThread,10_2_04CEA770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9B00 NtSetValueKey,10_2_04CE9B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEA710 NtOpenProcessToken,10_2_04CEA710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9730 NtQueryVirtualMemory,10_2_04CE9730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AA060 NtClose,10_2_008AA060
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AA110 NtAllocateVirtualMemory,10_2_008AA110
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9FE0 NtReadFile,10_2_008A9FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9F30 NtCreateFile,10_2_008A9F30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9F82 NtReadFile,10_2_008A9F82
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9FDA NtReadFile,10_2_008A9FDA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9F2B NtCreateFile,10_2_008A9F2B
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E1EC1_2_0041E1EC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E1F81_2_0041E1F8
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041EADA1_2_0041EADA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E3D1_2_00409E3D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041D6801_2_0041D680
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A01_2_00A620A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B020A81_2_00B020A8
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4B0901_2_00A4B090
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B028EC1_2_00B028EC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0E8241_2_00B0E824
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF10021_2_00AF1002
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A541201_2_00A54120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3F9001_2_00A3F900
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B022AE1_2_00B022AE
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6EBB01_2_00A6EBB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF03DA1_2_00AF03DA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFDBD21_2_00AFDBD2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B02B281_2_00B02B28
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4841F1_2_00A4841F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFD4661_2_00AFD466
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A625811_2_00A62581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4D5E01_2_00A4D5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B025DD1_2_00B025DD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A30D201_2_00A30D20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B02D071_2_00B02D07
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B01D551_2_00B01D55
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B02EF71_2_00B02EF7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A56E301_2_00A56E30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFD6161_2_00AFD616
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B01FF11_2_00B01FF1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0DFCE1_2_00B0DFCE
          Source: C:\Windows\explorer.exeCode function: 3_2_06D52A523_2_06D52A52
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4ACF23_2_06D4ACF2
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4ACE93_2_06D4ACE9
          Source: C:\Windows\explorer.exeCode function: 3_2_06D518823_2_06D51882
          Source: C:\Windows\explorer.exeCode function: 3_2_06D490723_2_06D49072
          Source: C:\Windows\explorer.exeCode function: 3_2_06D490693_2_06D49069
          Source: C:\Windows\explorer.exeCode function: 3_2_06D55A0C3_2_06D55A0C
          Source: C:\Windows\explorer.exeCode function: 3_2_06D501523_2_06D50152
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4DB1F3_2_06D4DB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4DB223_2_06D4DB22
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBB09010_2_04CBB090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A010_2_04CD20A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D720A810_2_04D720A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D6100210_2_04D61002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB841F10_2_04CB841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBD5E010_2_04CBD5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD258110_2_04CD2581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D71D5510_2_04D71D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAF90010_2_04CAF900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D72D0710_2_04D72D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA0D2010_2_04CA0D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC412010_2_04CC4120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D72EF710_2_04D72EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D722AE10_2_04D722AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC6E3010_2_04CC6E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D71FF110_2_04D71FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDEBB010_2_04CDEBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D72B2810_2_04D72B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AE1EC10_2_008AE1EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AE1F810_2_008AE1F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AEADA10_2_008AEADA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00892D9010_2_00892D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00899E3D10_2_00899E3D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00899E4010_2_00899E40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00892FB010_2_00892FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04CAB150 appears 35 times
          Source: C:\Users\user\Desktop\PO.exeCode function: String function: 00A3B150 appears 45 times
          Source: PO.exe, 00000000.00000003.234946045.000000001EF76000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000003.242100037.000000000098F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.294578840.0000000002BFE000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs PO.exe
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = interna