Play interactive tour

Edit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	383909
MD5:	ba83b33d39ca6c3bf1f311d1b6a38d1a
SHA1:	ce0bcbb882b1a2105138b9955c1d892e4c6f0947
SHA256:	ce27bdaa30fc5a712b41888b529f52c87f90b9d196b975d47ec9b5236b48cebc
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)

PO.exe (PID: 2904 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)

explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

chkdsk.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)

cmd.exe (PID: 4500 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.PO.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
1.2.PO.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.1.PO.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.PO.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.PO.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
0.2.PO.exe.2670000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO.exe.2670000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO.exe.2670000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
0.2.PO.exe.2670000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO.exe.2670000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO.exe.2670000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18409:$sqlite3step: 68 34 1C 7B E1 0x1851c:$sqlite3step: 68 34 1C 7B E1 0x18438:$sqlite3text: 68 38 2A 90 C5 0x1855d:$sqlite3text: 68 38 2A 90 C5 0x1844b:$sqlite3blob: 68 53 D8 7F 8C 0x18573:$sqlite3blob: 68 53 D8 7F 8C
1.1.PO.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.PO.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.PO.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17609:$sqlite3step: 68 34 1C 7B E1 0x1771c:$sqlite3step: 68 34 1C 7B E1 0x17638:$sqlite3text: 68 38 2A 90 C5 0x1775d:$sqlite3text: 68 38 2A 90 C5 0x1764b:$sqlite3blob: 68 53 D8 7F 8C 0x17773:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Multi AV Scanner detection for submitted file

Show sources

Source: PO.exe	Virustotal: Detection: 15%			Perma Link
Source: PO.exe	ReversingLabs: Detection: 14%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

Source: 1.2.PO.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.chkdsk.exe.2a5660.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 8.2.chkdsk.exe.54ef834.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.PO.exe.2670000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.PO.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: PO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
Source:	Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	0_2_00405301
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	0_2_00405C94
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_004026BC FindFirstFileA,	0_2_004026BC

Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then pop esi	1_2_004172F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 4x nop then pop esi	1_1_004172F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop esi	8_2_04B472F0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.riceandginger.com/fcn/

Source: global traffic

HTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.ayescarrental.com

Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EA0

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419D60 NtCreateFile,	1_2_00419D60
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419E10 NtReadFile,	1_2_00419E10
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419E90 NtClose,	1_2_00419E90
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419F40 NtAllocateVirtualMemory,	1_2_00419F40
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419DB3 NtReadFile,	1_2_00419DB3
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419E8A NtClose,	1_2_00419E8A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00419F3B NtAllocateVirtualMemory,	1_2_00419F3B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A298F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_00A298F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_00A29860
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29840 NtDelayExecution,LdrInitializeThunk,	1_2_00A29840
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A299A0 NtCreateSection,LdrInitializeThunk,	1_2_00A299A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_00A29910
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29A20 NtResumeThread,LdrInitializeThunk,	1_2_00A29A20
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_00A29A00
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29A50 NtCreateFile,LdrInitializeThunk,	1_2_00A29A50
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A295D0 NtClose,LdrInitializeThunk,	1_2_00A295D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29540 NtReadFile,LdrInitializeThunk,	1_2_00A29540
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A296E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_00A296E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_00A29660
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A297A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_00A297A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29780 NtMapViewOfSection,LdrInitializeThunk,	1_2_00A29780
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29710 NtQueryInformationToken,LdrInitializeThunk,	1_2_00A29710
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A298A0 NtWriteVirtualMemory,	1_2_00A298A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29820 NtEnumerateKey,	1_2_00A29820
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A2B040 NtSuspendThread,	1_2_00A2B040
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A299D0 NtCreateProcessEx,	1_2_00A299D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29950 NtQueueApcThread,	1_2_00A29950
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29A80 NtOpenDirectoryObject,	1_2_00A29A80
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29A10 NtQuerySection,	1_2_00A29A10
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A2A3B0 NtGetContextThread,	1_2_00A2A3B0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29B00 NtSetValueKey,	1_2_00A29B00
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A295F0 NtQueryInformationFile,	1_2_00A295F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29520 NtWaitForSingleObject,	1_2_00A29520
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A2AD30 NtSetContextThread,	1_2_00A2AD30
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29560 NtWriteFile,	1_2_00A29560
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A296D0 NtCreateKey,	1_2_00A296D0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29610 NtEnumerateValueKey,	1_2_00A29610
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29670 NtQueryInformationProcess,	1_2_00A29670
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29650 NtQueryValueKey,	1_2_00A29650
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29FE0 NtCreateMutant,	1_2_00A29FE0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29730 NtQueryVirtualMemory,	1_2_00A29730
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A2A710 NtOpenProcessToken,	1_2_00A2A710
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29760 NtOpenProcess,	1_2_00A29760
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A29770 NtSetInformationFile,	1_2_00A29770
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A2A770 NtOpenThread,	1_2_00A2A770
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_00419D60 NtCreateFile,	1_1_00419D60
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_00419E10 NtReadFile,	1_1_00419E10
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_00419E90 NtClose,	1_1_00419E90
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_00419F40 NtAllocateVirtualMemory,	1_1_00419F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49D60 NtCreateFile,	8_2_04B49D60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49E90 NtClose,	8_2_04B49E90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49E10 NtReadFile,	8_2_04B49E10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49F40 NtAllocateVirtualMemory,	8_2_04B49F40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49DB3 NtReadFile,	8_2_04B49DB3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49E8A NtClose,	8_2_04B49E8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B49F3B NtAllocateVirtualMemory,	8_2_04B49F3B

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040314A

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_004046A7	0_2_004046A7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00401027	1_2_00401027
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00401030	1_2_00401030
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041E100	1_2_0041E100
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041E246	1_2_0041E246
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00402D90	1_2_00402D90
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00409E40	1_2_00409E40
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00409E3C	1_2_00409E3C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041DF12	1_2_0041DF12
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041DF1C	1_2_0041DF1C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00402FB0	1_2_00402FB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A120A0	1_2_00A120A0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_009FB090	1_2_009FB090
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AA1002	1_2_00AA1002
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A04120	1_2_00A04120
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_009EF900	1_2_009EF900
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A1EBB0	1_2_00A1EBB0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_009F841F	1_2_009F841F
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A12581	1_2_00A12581
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_009FD5E0	1_2_009FD5E0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_009E0D20	1_2_009E0D20
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00AB1D55	1_2_00AB1D55
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A06E30	1_2_00A06E30
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_00401027	1_1_00401027
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_00401030	1_1_00401030
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_0041E100	1_1_0041E100
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_0041E246	1_1_0041E246
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B32D90	8_2_04B32D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B39E3C	8_2_04B39E3C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B39E40	8_2_04B39E40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B32FB0	8_2_04B32FB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4DF12	8_2_04B4DF12
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4DF1C	8_2_04B4DF1C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4E100	8_2_04B4E100
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4E246	8_2_04B4E246

Source: C:\Users\user\Desktop\PO.exe

Code function: String function: 009EB150 appears 35 times

Source: PO.exe, 00000000.00000003.233217726.000000001F0EF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000001.00000002.282165146.0000000002656000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs PO.exe

Source: PO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@4/2

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041E5

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,

0_2_004020A6

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsj9DD.tmp

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: PO.exe	Virustotal: Detection: 15%
Source: PO.exe	ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
Source:	Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
Source:	Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\PO.exe

Unpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,

0_2_00401FDC

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041E34F push eax; ret	1_2_0041E356
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00417CCE push 7FCF5E29h; iretd	1_2_00417CD3
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00417CD7 push ebx; retf	1_2_00417CDF
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_004164B4 push esi; ret	1_2_004164BD
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00417D58 push esp; iretd	1_2_00417D5A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041CEB5 push eax; ret	1_2_0041CF08
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041CF6C push eax; ret	1_2_0041CF72
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041CF02 push eax; ret	1_2_0041CF08
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0041CF0B push eax; ret	1_2_0041CF72
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00A3D0D1 push ecx; ret	1_2_00A3D0E4
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_1_0041E34F push eax; ret	1_1_0041E356
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B464B4 push esi; ret	8_2_04B464BD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B47CD7 push ebx; retf	8_2_04B47CDF
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B47CCE push 7FCF5E29h; iretd	8_2_04B47CD3
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B47D58 push esp; iretd	8_2_04B47D5A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4CEB5 push eax; ret	8_2_04B4CF08
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4CF02 push eax; ret	8_2_04B4CF08
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4CF0B push eax; ret	8_2_04B4CF72
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4CF6C push eax; ret	8_2_04B4CF72
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 8_2_04B4E34F push eax; ret	8_2_04B4E356

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection: