Loading ...

Play interactive tourEdit tour

Analysis Report Y4U48592345670954.exe

Overview

General Information

Sample Name:Y4U48592345670954.exe
Analysis ID:383918
MD5:e8e69391d3a931e6638adaebf6a339f6
SHA1:29c02e786c6f8b343bc0f05a1195ff5215d21e63
SHA256:20087dfd9482120735e4e37edc7307b91264632b0c9c7b50a058c100ba186ece
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Y4U48592345670954.exe (PID: 7016 cmdline: 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: E8E69391D3A931E6638ADAEBF6A339F6)
    • Y4U48592345670954.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: E8E69391D3A931E6638ADAEBF6A339F6)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 2628 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 5052 cmdline: /c del 'C:\Users\user\Desktop\Y4U48592345670954.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.Y4U48592345670954.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.Y4U48592345670954.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.Y4U48592345670954.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        2.2.Y4U48592345670954.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.Y4U48592345670954.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2wAvira URL Cloud: Label: malware
          Source: http://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85DAvira URL Cloud: Label: malware
          Source: http://www.tententacleshydro.com/klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0UpAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.middlehambooks.com/klf/"], "decoy": ["podcastyourvote.com", "northernlsx.com", "guide4idiots.com", "artebythesea.com", "sapanyc.com", "livinoutthedreamsco.com", "thepowersinyou.com", "protocolmodern.com", "holdergear.com", "betteringthehumanexperience.xyz", "agnostec.com", "royermaldonado.com", "wealthtruckingco.com", "artcode-software.com", "microsoftpods.com", "identityofplace.com", "algoritas.com", "grandpaurbanfarm.net", "zahidibr.com", "flawlessdrinking.com", "amymako.com", "tinymodeldiana.com", "restoremyorigin.com", "gyrostoyou.com", "boiler-portal.com", "aprilmarieclaire.com", "midollan.com", "finestfaux.com", "lownak.com", "okque.com", "woodandresin.club", "benficalovers.com", "fangyu5827.com", "tententacleshydro.com", "oouuweee.com", "sgsnit.com", "fairisnotfair.com", "shpwmy.com", "238olive.com", "4515a.com", "frontrangetechnologies.com", "v-travelclub.com", "supportserverhotline23.info", "snowandmotion.com", "colinboycemp.net", "yowoit.com", "neopivot.com", "singlebarrel.net", "esdras-almeida.com", "contecoliving.com", "doctorsdietgulfport.com", "issue72-paypal.com", "pubgfrut.com", "constipationhub.com", "themodernspiritualgoddess.com", "qzhongkong.com", "bizcert360.com", "nashvillegems.com", "barryteeling.com", "wzocflfor.com", "mirrorsmarbella.com", "nyariorganics.com", "packtmall.com", "100973671.review"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Y4U48592345670954.exeVirustotal: Detection: 17%Perma Link
          Source: Y4U48592345670954.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NETSTAT.EXE.32fe660.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.NETSTAT.EXE.3d6f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Y4U48592345670954.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: netstat.pdbGCTL source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmp
          Source: Binary string: C:\xampp\htdocs\Cryptor\def056c534cc4ea39c4345526c5ff6fa\Loader\Loader\Release\p2wf97kzy.pdb source: Y4U48592345670954.exe, 00000000.00000002.659788120.0000000000788000.00000004.00020000.sdmp, yow0w7y8ovyw.dll.0.dr
          Source: Binary string: wntdll.pdbUGP source: Y4U48592345670954.exe, 00000000.00000003.652459500.000000001EF70000.00000004.00000001.sdmp, Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000004.00000002.914936849.0000000003840000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y4U48592345670954.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.668380838.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 4x nop then pop ebx2_2_00407B02
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 4x nop then pop ebx2_1_00407B02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx4_2_00D57B02

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.middlehambooks.com/klf/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1Host: www.contecoliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.identityofplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1Host: www.constipationhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.tententacleshydro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w+Z4jIpZbISXEVO0nnlcpcZqOXsEZ5ezvcOQFXu1NON7E3/DXgqh3GDvoQCt7q85D HTTP/1.1Host: www.contecoliving.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=7bFgTrM7BIAhZVbcluuTkCF4DvVfpU2z3yBqmRvieMtJ1CCKShP62AIfkuNBDgKt+AQL&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.identityofplace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=YaIPTfple60n7g7yPaoibbVQRqDMQPAJpva4MWGp8vGpJzNikHS3aMUGlaJr1Ei+7AZ8 HTTP/1.1Host: www.constipationhub.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /klf/?-ZVxY8H=Vu9q6EMrxGDqg7ZmTlOQb6qpgFgK5wW/L8aO6You1Lc6UR7BvVtveZZ7OpvOdghAil0A&KX6xM=0rjPofqhSZfXf0Up HTTP/1.1Host: www.tententacleshydro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.contecoliving.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000002.915663862.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.675423489.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000004.00000002.915537693.000000000425F000.00000004.00000001.sdmpString found in binary or memory: https://www.contecoliving.com/klf/?KX6xM=0rjPofqhSZfXf0Up&-ZVxY8H=uZ2w
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419D60 NtCreateFile,2_2_00419D60
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E10 NtReadFile,2_2_00419E10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E90 NtClose,2_2_00419E90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,2_2_00419F40
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419D5A NtCreateFile,2_2_00419D5A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419DB4 NtReadFile,2_2_00419DB4
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00419E0A NtReadFile,2_2_00419E0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00BB98F0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00BB9860
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9840 NtDelayExecution,LdrInitializeThunk,2_2_00BB9840
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB99A0 NtCreateSection,LdrInitializeThunk,2_2_00BB99A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00BB9910
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A20 NtResumeThread,LdrInitializeThunk,2_2_00BB9A20
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00BB9A00
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A50 NtCreateFile,LdrInitializeThunk,2_2_00BB9A50
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB95D0 NtClose,LdrInitializeThunk,2_2_00BB95D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9540 NtReadFile,LdrInitializeThunk,2_2_00BB9540
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00BB96E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00BB9660
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00BB97A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9780 NtMapViewOfSection,LdrInitializeThunk,2_2_00BB9780
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9710 NtQueryInformationToken,LdrInitializeThunk,2_2_00BB9710
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB98A0 NtWriteVirtualMemory,2_2_00BB98A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9820 NtEnumerateKey,2_2_00BB9820
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBB040 NtSuspendThread,2_2_00BBB040
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB99D0 NtCreateProcessEx,2_2_00BB99D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9950 NtQueueApcThread,2_2_00BB9950
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A80 NtOpenDirectoryObject,2_2_00BB9A80
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9A10 NtQuerySection,2_2_00BB9A10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA3B0 NtGetContextThread,2_2_00BBA3B0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9B00 NtSetValueKey,2_2_00BB9B00
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB95F0 NtQueryInformationFile,2_2_00BB95F0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBAD30 NtSetContextThread,2_2_00BBAD30
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9520 NtWaitForSingleObject,2_2_00BB9520
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9560 NtWriteFile,2_2_00BB9560
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB96D0 NtCreateKey,2_2_00BB96D0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9610 NtEnumerateValueKey,2_2_00BB9610
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9670 NtQueryInformationProcess,2_2_00BB9670
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9650 NtQueryValueKey,2_2_00BB9650
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9FE0 NtCreateMutant,2_2_00BB9FE0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9730 NtQueryVirtualMemory,2_2_00BB9730
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA710 NtOpenProcessToken,2_2_00BBA710
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9770 NtSetInformationFile,2_2_00BB9770
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BBA770 NtOpenThread,2_2_00BBA770
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BB9760 NtOpenProcess,2_2_00BB9760
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419D60 NtCreateFile,2_1_00419D60
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419E10 NtReadFile,2_1_00419E10
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419E90 NtClose,2_1_00419E90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_00419F40 NtAllocateVirtualMemory,2_1_00419F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A50 NtCreateFile,LdrInitializeThunk,4_2_038A9A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A99A0 NtCreateSection,LdrInitializeThunk,4_2_038A99A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_038A9910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9840 NtDelayExecution,LdrInitializeThunk,4_2_038A9840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_038A9860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9780 NtMapViewOfSection,LdrInitializeThunk,4_2_038A9780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9FE0 NtCreateMutant,LdrInitializeThunk,4_2_038A9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9710 NtQueryInformationToken,LdrInitializeThunk,4_2_038A9710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A96D0 NtCreateKey,LdrInitializeThunk,4_2_038A96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_038A96E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9650 NtQueryValueKey,LdrInitializeThunk,4_2_038A9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_038A9660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A95D0 NtClose,LdrInitializeThunk,4_2_038A95D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9540 NtReadFile,LdrInitializeThunk,4_2_038A9540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA3B0 NtGetContextThread,4_2_038AA3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9B00 NtSetValueKey,4_2_038A9B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A80 NtOpenDirectoryObject,4_2_038A9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A00 NtProtectVirtualMemory,4_2_038A9A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A10 NtQuerySection,4_2_038A9A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9A20 NtResumeThread,4_2_038A9A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A99D0 NtCreateProcessEx,4_2_038A99D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9950 NtQueueApcThread,4_2_038A9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A98A0 NtWriteVirtualMemory,4_2_038A98A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A98F0 NtReadVirtualMemory,4_2_038A98F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9820 NtEnumerateKey,4_2_038A9820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AB040 NtSuspendThread,4_2_038AB040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A97A0 NtUnmapViewOfSection,4_2_038A97A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA710 NtOpenProcessToken,4_2_038AA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9730 NtQueryVirtualMemory,4_2_038A9730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9760 NtOpenProcess,4_2_038A9760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AA770 NtOpenThread,4_2_038AA770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9770 NtSetInformationFile,4_2_038A9770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9610 NtEnumerateValueKey,4_2_038A9610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9670 NtQueryInformationProcess,4_2_038A9670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A95F0 NtQueryInformationFile,4_2_038A95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9520 NtWaitForSingleObject,4_2_038A9520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038AAD30 NtSetContextThread,4_2_038AAD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038A9560 NtWriteFile,4_2_038A9560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69D60 NtCreateFile,4_2_00D69D60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E90 NtClose,4_2_00D69E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E10 NtReadFile,4_2_00D69E10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69F40 NtAllocateVirtualMemory,4_2_00D69F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69DB4 NtReadFile,4_2_00D69DB4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69D5A NtCreateFile,4_2_00D69D5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D69E0A NtReadFile,4_2_00D69E0A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0040102E2_2_0040102E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402D8D2_2_00402D8D
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041D6692_2_0041D669
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00409E3B2_2_00409E3B
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041D7432_2_0041D743
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_0041CFA32_2_0041CFA3
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA20A02_2_00BA20A0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8B0902_2_00B8B090
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C428EC2_2_00C428EC
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C420A82_2_00C420A8
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C310022_2_00C31002
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4E8242_2_00C4E824
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B941202_2_00B94120
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B7F9002_2_00B7F900
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C422AE2_2_00C422AE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BAEBB02_2_00BAEBB0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3DBD22_2_00C3DBD2
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C303DA2_2_00C303DA
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42B282_2_00C42B28
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3D4662_2_00C3D466
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8841F2_2_00B8841F
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C425DD2_2_00C425DD
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00BA25812_2_00BA2581
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B8D5E02_2_00B8D5E0
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41D552_2_00C41D55
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B70D202_2_00B70D20
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42D072_2_00C42D07
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C42EF72_2_00C42EF7
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00B96E302_2_00B96E30
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C3D6162_2_00C3D616
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C4DFCE2_2_00C4DFCE
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_2_00C41FF12_2_00C41FF1
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_0040102E2_1_0040102E
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: 2_1_004010302_1_00401030
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0389EBB04_2_0389EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392DBD24_2_0392DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932B284_2_03932B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039322AE4_2_039322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0386F9004_2_0386F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038841204_2_03884120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387B0904_2_0387B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038920A04_2_038920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039320A84_2_039320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039328EC4_2_039328EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039210024_2_03921002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0393E8244_2_0393E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931FF14_2_03931FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932EF74_2_03932EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392D6164_2_0392D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03886E304_2_03886E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_038925814_2_03892581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_039325DD4_2_039325DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387D5E04_2_0387D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03932D074_2_03932D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03860D204_2_03860D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_03931D554_2_03931D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0387841F4_2_0387841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_0392D4664_2_0392D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52D904_2_00D52D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52D8D4_2_00D52D8D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D59E404_2_00D59E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D59E3B4_2_00D59E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D52FB04_2_00D52FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6CFA34_2_00D6CFA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4_2_00D6D7434_2_00D6D743
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0386B150 appears 35 times
          Source: C:\Users\user\Desktop\Y4U48592345670954.exeCode function: String function: 00B7B150 appears 35 times
          Source: Y4U48592345670954.exe, 00000000.00000003.653543330.000000001F0BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exe, 00000002.00000002.689406887.0000000000B10000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exe, 00000002.00000002.689550397.0000000000C6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y4U48592345670954.exe
          Source: Y4U48592345670954.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914195239.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689308659.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914660344.0000000003210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.654536126.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689148135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.660097535.0000000002850000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.914609737.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.689282253.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Y4U48592345670954.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y4U48592345670954.exe.2850000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.Y4U48592345670954.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y4U48592345670954.exe.2850000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook