Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
Analysis ID:383909
MD5:ba83b33d39ca6c3bf1f311d1b6a38d1a
SHA1:ce0bcbb882b1a2105138b9955c1d892e4c6f0947
SHA256:ce27bdaa30fc5a712b41888b529f52c87f90b9d196b975d47ec9b5236b48cebc
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)
    • PO.exe (PID: 2904 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 4500 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.exeVirustotal: Detection: 15%Perma Link
          Source: PO.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.2.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.chkdsk.exe.2a5660.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 8.2.chkdsk.exe.54ef834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.PO.exe.2670000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
          Source: Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop esi1_2_004172F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop esi1_1_004172F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop esi8_2_04B472F0

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.riceandginger.com/fcn/
          Source: global trafficHTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ayescarrental.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419DB3 NtReadFile,1_2_00419DB3
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F3B NtAllocateVirtualMemory,1_2_00419F3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A298F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A298F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A29860
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29840 NtDelayExecution,LdrInitializeThunk,1_2_00A29840
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A299A0 NtCreateSection,LdrInitializeThunk,1_2_00A299A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A29910
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A20 NtResumeThread,LdrInitializeThunk,1_2_00A29A20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A29A00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A50 NtCreateFile,LdrInitializeThunk,1_2_00A29A50
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A295D0 NtClose,LdrInitializeThunk,1_2_00A295D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29540 NtReadFile,LdrInitializeThunk,1_2_00A29540
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A296E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A296E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A29660
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A297A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A297A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A29780
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A29710
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A298A0 NtWriteVirtualMemory,1_2_00A298A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29820 NtEnumerateKey,1_2_00A29820
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2B040 NtSuspendThread,1_2_00A2B040
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A299D0 NtCreateProcessEx,1_2_00A299D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29950 NtQueueApcThread,1_2_00A29950
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A80 NtOpenDirectoryObject,1_2_00A29A80
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A10 NtQuerySection,1_2_00A29A10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A3B0 NtGetContextThread,1_2_00A2A3B0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29B00 NtSetValueKey,1_2_00A29B00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A295F0 NtQueryInformationFile,1_2_00A295F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29520 NtWaitForSingleObject,1_2_00A29520
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2AD30 NtSetContextThread,1_2_00A2AD30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29560 NtWriteFile,1_2_00A29560
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A296D0 NtCreateKey,1_2_00A296D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29610 NtEnumerateValueKey,1_2_00A29610
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29670 NtQueryInformationProcess,1_2_00A29670
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29650 NtQueryValueKey,1_2_00A29650
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29FE0 NtCreateMutant,1_2_00A29FE0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29730 NtQueryVirtualMemory,1_2_00A29730
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A710 NtOpenProcessToken,1_2_00A2A710
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29760 NtOpenProcess,1_2_00A29760
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29770 NtSetInformationFile,1_2_00A29770
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A770 NtOpenThread,1_2_00A2A770
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49D60 NtCreateFile,8_2_04B49D60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E90 NtClose,8_2_04B49E90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E10 NtReadFile,8_2_04B49E10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49F40 NtAllocateVirtualMemory,8_2_04B49F40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49DB3 NtReadFile,8_2_04B49DB3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E8A NtClose,8_2_04B49E8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49F3B NtAllocateVirtualMemory,8_2_04B49F3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004010271_2_00401027
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E1001_2_0041E100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E2461_2_0041E246
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041DF121_2_0041DF12
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041DF1C1_2_0041DF1C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A01_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB0901_2_009FB090
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA10021_2_00AA1002
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A041201_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EF9001_2_009EF900
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1EBB01_2_00A1EBB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F841F1_2_009F841F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A125811_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E01_2_009FD5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E0D201_2_009E0D20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB1D551_2_00AB1D55
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A06E301_2_00A06E30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_004010271_1_00401027
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E1001_1_0041E100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E2461_1_0041E246
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B32D908_2_04B32D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B39E3C8_2_04B39E3C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B39E408_2_04B39E40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B32FB08_2_04B32FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4DF128_2_04B4DF12
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4DF1C8_2_04B4DF1C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E1008_2_04B4E100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E2468_2_04B4E246
          Source: C:\Users\user\Desktop\PO.exeCode function: String function: 009EB150 appears 35 times
          Source: PO.exe, 00000000.00000003.233217726.000000001F0EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.282165146.0000000002656000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs PO.exe
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/2
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsj9DD.tmpJump to behavior
          Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO.exeVirustotal: Detection: 15%
          Source: PO.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\user\Desktop\PO.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
          Source: Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PO.exeUnpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E34F push eax; ret 1_2_0041E356
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417CCE push 7FCF5E29h; iretd 1_2_00417CD3
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417CD7 push ebx; retf 1_2_00417CDF
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004164B4 push esi; ret 1_2_004164BD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417D58 push esp; iretd 1_2_00417D5A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3D0D1 push ecx; ret 1_2_00A3D0E4
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E34F push eax; ret 1_1_0041E356
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B464B4 push esi; ret 8_2_04B464BD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47CD7 push ebx; retf 8_2_04B47CDF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47CCE push 7FCF5E29h; iretd 8_2_04B47CD3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47D58 push esp; iretd 8_2_04B47D5A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CEB5 push eax; ret 8_2_04B4CF08
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF02 push eax; ret 8_2_04B4CF08
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF0B push eax; ret 8_2_04B4CF72
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF6C push eax; ret 8_2_04B4CF72
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E34F push eax; ret 8_2_04B4E356
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection: