Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Sample Name:	Quotation-4834898943949883.pdf.exe
Analysis ID:	383906
MD5:	57055ad7429ef21caca78a9428e8a332
SHA1:	4df1aae070d95c2fd6c40ba3070a2af53462f3e6
SHA256:	f15085a9037c117355a6b500780d5df0530a6c6724e4506622565b4c13582876
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: www.mcgeefamilychildcare.com/nc6m/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.mcgeefamilychildcare.com/nc6m/"], "decoy": ["saltypar.com", "most.community", "johnmucollection.com", "houzzthings.net", "onemarketips.com", "legalmarketingtx.net", "criminalmindeddesign.com", "dtrinvesting.com", "millertaxpreparation.com", "wckfwwehmo.net", "begoodmeat.com", "tradefinance.fyi", "taxbizfunnels.com", "learnstartupdesign.com", "hxmdelights.com", "christiandantrust.faith", "dimensionshypnosis.com", "261391.com", "cancellednot.com", "paodanmeng.com", "thewayoutbooks.com", "halsdraincleaning.com", "jumlasx.xyz", "sutransformacion.com", "abisagne.com", "yingjiebj.com", "prodgra.com", "phone-review24.club", "weandvirus.com", "thelibertyhomeinspector.com", "fuckblarkie.com", "tappesupportservices.com", "marianiemorazzani.com", "skyybluchildkare.info", "diysecurityreview.com", "insuranceagentwilliams.com", "k-yahagigumi.com", "b3ourg.xyz", "mawhl.net", "billionartoffaith.com", "tech4thelolo.com", "vlvglobal.com", "positive-agenda-advisory.com", "sdzcsyy.com", "jxdiil.com", "craicing.com", "opinionesymodelos.com", "tulsaprintingcompany.com", "papaifotografo.com", "kalpavasi.com", "century21comingsoon.com", "bahiaprincipegrand.com", "tinwinsolar.ltd", "emprenviendo.com", "nineykal.com", "tam-rh.cat", "onlyfanscash.com", "florida-sunny.com", "workmone.online", "sastaafoods.com", "financiallyhealthy.life", "unudix.com", "wwwsumwater.com", "iparametricjobs.com"]}

Multi AV Scanner detection for submitted file

Source: Quotation-4834898943949883.pdf.exe	Virustotal: Detection: 26%			Perma Link
Source: Quotation-4834898943949883.pdf.exe	ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Quotation-4834898943949883.pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241176585.0000000001430000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04D71B98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_04D71BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_0771FBA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop ebx	4_2_00407AFB

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.mcgeefamilychildcare.com/nc6m/

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240759928.0000000002D72000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245213081.0000000006F12000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe
Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716878 NtQueryInformationProcess,	1_2_07716878
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716873 NtQueryInformationProcess,	1_2_07716873
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F2A NtCreateFile,	4_2_00419F2A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F82 NtCreateFile,	4_2_00419F82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01499860
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01499660
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014996E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_014996E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499950 NtQueueApcThread,	4_2_01499950
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499910 NtAdjustPrivilegesToken,	4_2_01499910
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014999D0 NtCreateProcessEx,	4_2_014999D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014999A0 NtCreateSection,	4_2_014999A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149B040 NtSuspendThread,	4_2_0149B040
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499840 NtDelayExecution,	4_2_01499840
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499820 NtEnumerateKey,	4_2_01499820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014998F0 NtReadVirtualMemory,	4_2_014998F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014998A0 NtWriteVirtualMemory,	4_2_014998A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499B00 NtSetValueKey,	4_2_01499B00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149A3B0 NtGetContextThread,	4_2_0149A3B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A50 NtCreateFile,	4_2_01499A50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A00 NtProtectVirtualMemory,	4_2_01499A00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A10 NtQuerySection,	4_2_01499A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A20 NtResumeThread,	4_2_01499A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499A80 NtOpenDirectoryObject,	4_2_01499A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499540 NtReadFile,	4_2_01499540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499560 NtWriteFile,	4_2_01499560
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01499520 NtWaitForSingleObject,	4_2_01499520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0149AD30 NtSetContextThread,	4_2_0149AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014995D0 NtClose,	4_2_014995D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014995F0 NtQueryInformationFile,	4_2_014995F0

Detected potential crypto function

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094DCE7	1_2_0094DCE7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094A9EA	1_2_0094A9EA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_011BC2B0	1_2_011BC2B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_011B9990	1_2_011B9990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_04D70448	1_2_04D70448
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_04D71770	1_2_04D71770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07715520	1_2_07715520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710740	1_2_07710740
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711FA8	1_2_07711FA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711F99	1_2_07711F99
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711D60	1_2_07711D60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711D51	1_2_07711D51
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0771A550	1_2_0771A550
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712D40	1_2_07712D40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0771A53F	1_2_0771A53F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07715510	1_2_07715510
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_077114E0	1_2_077114E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_077114D1	1_2_077114D1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711B58	1_2_07711B58
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07711B48	1_2_07711B48
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07718BB0	1_2_07718BB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07718BA3	1_2_07718BA3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716A10	1_2_07716A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712170	1_2_07712170
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07719170	1_2_07719170
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07712163	1_2_07712163
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710938	1_2_07710938
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07710929	1_2_07710929
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07719180	1_2_07719180
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094AAC7	1_2_0094AAC7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401209	4_2_00401209
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041DAFA	4_2_0041DAFA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D378	4_2_0041D378
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409DFC	4_2_00409DFC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D88	4_2_00402D88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D631	4_2_0041D631
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097A9EA	4_2_0097A9EA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097DCE7	4_2_0097DCE7
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0145F900	4_2_0145F900
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01474120	4_2_01474120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472990	4_2_01472990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014799BF	4_2_014799BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01456800	4_2_01456800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01511002	4_2_01511002
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0152E824	4_2_0152E824
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A830	4_2_0147A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015228EC	4_2_015228EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146B090	4_2_0146B090
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014820A0	4_2_014820A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015220A8	4_2_015220A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FCB4F	4_2_014FCB4F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147AB40	4_2_0147AB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01473360	4_2_01473360
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151231B	4_2_0151231B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147A309	4_2_0147A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01522B28	4_2_01522B28
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151DBD2	4_2_0151DBD2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015103DA	4_2_015103DA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148ABD8	4_2_0148ABD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014A8BE8	4_2_014A8BE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015023E3	4_2_015023E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148138B	4_2_0148138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014FEB8A	4_2_014FEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147EB9A	4_2_0147EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0148EBB0	4_2_0148EBB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B236	4_2_0147B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0150FA2B	4_2_0150FA2B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151E2C5	4_2_0151E2C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01514AEF	4_2_01514AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015232A9	4_2_015232A9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015222AE	4_2_015222AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01521D55	4_2_01521D55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472D50	4_2_01472D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01522D07	4_2_01522D07
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01450D20	4_2_01450D20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_015225DD	4_2_015225DD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146D5E0	4_2_0146D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01482581	4_2_01482581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01512D82	4_2_01512D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014865A0	4_2_014865A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0147B477	4_2_0147B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0151D466	4_2_0151D466
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0146841F	4_2_0146841F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01472430	4_2_01472430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097AAC7	4_2_0097AAC7

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0145B150 appears 121 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 014E5720 appears 62 times

PE file contains strange resources

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilename vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245565115.0000000007680000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000000.217395296.0000000000942000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240654193.0000000002CE1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.245113568.0000000006E30000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilename vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000000.238479725.0000000000972000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.241413507.000000000154F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilenameReadBufferAsyncd97.exe4 vs Quotation-4834898943949883.pdf.exe

Uses 32bit PE files

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.241153701.0000000003DA3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.240662044.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: unknown	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094D65F push es; retn 0001h	1_2_0094D6BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_0094DC4E push 00000000h; iretd	1_2_0094DC98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 1_2_07716E6F pushfd ; retf	1_2_07716E78
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040B3F8 push ebx; iretd	4_2_0040B3FB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041766B push eax; ret	4_2_0041766E
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040DF92 push ebp; retf	4_2_0040DF93
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041AFBA pushad ; retf	4_2_0041AFBE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097DC4E push 00000000h; iretd	4_2_0097DC98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0097D65F push es; retn 0001h	4_2_0097D6BD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_014AD0D1 push ecx; ret	4_2_014AD0E4

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 5956, type: MEMORY

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 5952	Thread sleep time: -100018s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 6028	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 100018			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Quotation-4834898943949883.pdf.exe, 00000001.00000002.240710316.0000000002D35000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

ID:	383906
Product:	CloudBasic
Start time:	12:11:06
Start date:	08.04.2021
Sample:	Quotation-4834898943949883.pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	57055ad7429ef21caca78a9428e8a332
SHA1:	4df1aae070d95c2fd6c40ba3070a2af53462f3e6
SHA256:	f15085a9037c117355a6b500780d5df0530a6c6724e4506622565b4c13582876
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs