Play interactive tour

Edit tour

Analysis Report nova narud#U017eba pdf rvP6N.exe

Overview

General Information

Sample Name:	nova narud#U017eba pdf rvP6N.exe
Analysis ID:	383924
MD5:	35076f942b11f79d1156069e55ab132d
SHA1:	edad117505f1a87b7512a6c85cac30d691d2ff0a
SHA256:	56e676fae09b69a9eae221e0590776815f7fa38e7cc90822cd3060ea289d7547
Tags:	exeFormbookgeoHRV
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

nova narud#U017eba pdf rvP6N.exe (PID: 4844 cmdline: 'C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe' MD5: 35076F942B11F79D1156069E55AB132D)

schtasks.exe (PID: 6252 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6300 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

netsh.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)

cmd.exe (PID: 1516 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xff908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xffb82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12c128:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12c3a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x10b6b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x137ed5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x10b1a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1379c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x10b7b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x137fd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x10b92f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13814f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10059a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x12cdba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10a41c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x136c3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x101293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x12dab3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x111527:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x13dd47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x11252a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x10e449:$sqlite3step: 68 34 1C 7B E1 0x10e55c:$sqlite3step: 68 34 1C 7B E1 0x13ac69:$sqlite3step: 68 34 1C 7B E1 0x13ad7c:$sqlite3step: 68 34 1C 7B E1 0x10e478:$sqlite3text: 68 38 2A 90 C5 0x10e59d:$sqlite3text: 68 38 2A 90 C5 0x13ac98:$sqlite3text: 68 38 2A 90 C5 0x13adbd:$sqlite3text: 68 38 2A 90 C5 0x10e48b:$sqlite3blob: 68 53 D8 7F 8C 0x10e5b3:$sqlite3blob: 68 53 D8 7F 8C 0x13acab:$sqlite3blob: 68 53 D8 7F 8C 0x13add3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: nova narud#U017eba pdf rvP6N.exe PID: 4844	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17629:$sqlite3step: 68 34 1C 7B E1 0x1773c:$sqlite3step: 68 34 1C 7B E1 0x17658:$sqlite3text: 68 38 2A 90 C5 0x1777d:$sqlite3text: 68 38 2A 90 C5 0x1766b:$sqlite3blob: 68 53 D8 7F 8C 0x17793:$sqlite3blob: 68 53 D8 7F 8C
3.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1590f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18429:$sqlite3step: 68 34 1C 7B E1 0x1853c:$sqlite3step: 68 34 1C 7B E1 0x18458:$sqlite3text: 68 38 2A 90 C5 0x1857d:$sqlite3text: 68 38 2A 90 C5 0x1846b:$sqlite3blob: 68 53 D8 7F 8C 0x18593:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe' , ParentImage: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe, ParentProcessId: 4844, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kPDOHsyqKitj' /XML 'C:\Users\user\AppData\Local\Temp\tmp59AC.tmp', ProcessId: 6252

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: www.lovetarot.online/sqxs/

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.lovetarot.online/sqxs/"], "decoy": ["creid-network.com", "dinningatcastlehill.com", "fundadilla.com", "fashionmdeasy.com", "magentos6.com", "pushpartybdp.com", "streamingnetwork.xyz", "sevenredwalls.com", "hsuehsun.space", "leanbirthdaycake.com", "rocketmortgagedeceit.com", "cashflowdb.com", "smilebringerdesign.com", "naomicoleclinic.com", "wingsforklift.com", "newsounding.com", "48hrbusinessrescue.pro", "101osthoff456.com", "attleticgreens.com", "xx233.xyz", "niziuantena.com", "photosbyamandajdaniels.com", "udharworld.com", "astrolmass.com", "wzht88.com", "victoriasessionsheroes.com", "thefuture101.com", "sihe08.com", "webingnar.com", "influentialgood.com", "jobdoctorplacements.com", "bankrotstvostavropol.pro", "gracefulfari.com", "bluevistainvestments.com", "poopertroopersct.com", "link-glue.com", "barbequeterie.com", "ajbkscw.com", "janek-sales-training.net", "salesjump.xyz", "whatthefountain.com", "centre-pour-formation.com", "aiocoin.net", "thefreemaskstore.com", "localwow.net", "steven-ross.com", "perennialhh.com", "luxebeautylash.com", "aswahorganic.com", "businesshouse5asidejm.com", "zowjain.com", "mediatraining-toronto.com", "ashtangaway.com", "solutiirecentedemarketing.club", "zgzuqw.com", "timerma.com", "aguaalcalinamexico.com", "tacostio1.com", "karitaz.com", "bismillahbodyoil.com", "c2p.life", "kacgt.com", "fastcincincinnatioffer.com", "michaels.house"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exe

ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: nova narud#U017eba pdf rvP6N.exe	Virustotal: Detection: 22%			Perma Link
Source: nova narud#U017eba pdf rvP6N.exe	ReversingLabs: Detection: 14%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\kPDOHsyqKitj.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: nova narud#U017eba pdf rvP6N.exe

Joe Sandbox ML: detected

Source: 3.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: nova narud#U017eba pdf rvP6N.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: nova narud#U017eba pdf rvP6N.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: netsh.pdb source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
Source:	Binary string: RegSvcs.pdb, source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.292653801.00000000011A0000.00000040.00000001.sdmp, netsh.exe, 0000000F.00000002.501734799.0000000003590000.00000040.00000001.sdmp
Source:	Binary string: netsh.pdbGCTL source: RegSvcs.exe, 00000003.00000002.292530659.0000000000D81000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, netsh.exe
Source:	Binary string: RegSvcs.pdb source: netsh.exe, 0000000F.00000002.503721845.0000000003ABF000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02A5A3A8
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02A5A398
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02A5A45C
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02A5B8BB
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_02A5B8C8

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.lovetarot.online/sqxs/

Source: global traffic	HTTP traffic detected: GET /sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.magentos6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.businesshouse5asidejm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /sqxs/?9r=MRpl8UDFdJqnpJCoHCjX+0bMpbzGGukG+UMXxre6C1KfRpZnCXnM0uJ6ixOsqKWJKMs9S6HgiQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.magentos6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sqxs/?9r=vISvmTlEiopKSz7sbFBAxkFCF8r7k2dJAG7u5uLq0h9VZPMRNv+QYXnwEIKYsgNdKjl1RWh6mQ==&sZRd=1bYDYvm0JHdHoLj HTTP/1.1Host: www.businesshouse5asidejm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.magentos6.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:34:41 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 71 78 73 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sqxs/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247095559.0000000002C11000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.269916835.0000000006870000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comadi
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comefa
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234005594.0000000005C54000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comva
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com=
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comE.TTF
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFt
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235975130.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comrsivr
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.233746796.0000000005C51000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/tm
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp, nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235359346.0000000005C4A000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/5
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Ian
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/S
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234872250.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0bd
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235359346.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0y
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/j
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235198791.0000000005C4A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/S
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/roso
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.235105401.0000000005C49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s_tr
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000003.234872250.0000000005C46000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vv
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.252607725.0000000006E52000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.275434330.000000000BE70000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: nova narud#U017eba pdf rvP6N.exe	String found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
Source: nova narud#U017eba pdf rvP6N.exe	String found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
Source: nova narud#U017eba pdf rvP6N.exe	String found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
Source: nova narud#U017eba pdf rvP6N.exe, 00000000.00000002.247192769.0000000002C60000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292611883.0000000001160000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.499334545.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292487107.0000000000D20000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.500645379.0000000001110000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.500697070.0000000001140000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.247681962.0000000003C1C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.292295280.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A070 NtClose,	3_2_0041A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A120 NtAllocateVirtualMemory,	3_2_0041A120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419F40 NtCreateFile,	3_2_00419F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419FF0 NtReadFile,	3_2_00419FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A09A NtReadFile,	3_2_0041A09A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A11A NtAllocateVirtualMemory,	3_2_0041A11A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419F3A NtCreateFile,	3_2_00419F3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419FEB NtReadFile,	3_2_00419FEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01209910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012099A0 NtCreateSection,LdrInitializeThunk,	3_2_012099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01209860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209840 NtDelayExecution,LdrInitializeThunk,	3_2_01209840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012098F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_012098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209A20 NtResumeThread,LdrInitializeThunk,	3_2_01209A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01209A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209A50 NtCreateFile,LdrInitializeThunk,	3_2_01209A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209540 NtReadFile,LdrInitializeThunk,	3_2_01209540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012095D0 NtClose,LdrInitializeThunk,	3_2_012095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209710 NtQueryInformationToken,LdrInitializeThunk,	3_2_01209710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012097A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_012097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209780 NtMapViewOfSection,LdrInitializeThunk,	3_2_01209780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01209660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012096E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_012096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209950 NtQueueApcThread,	3_2_01209950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012099D0 NtCreateProcessEx,	3_2_012099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209820 NtEnumerateKey,	3_2_01209820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120B040 NtSuspendThread,	3_2_0120B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012098A0 NtWriteVirtualMemory,	3_2_012098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209B00 NtSetValueKey,	3_2_01209B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120A3B0 NtGetContextThread,	3_2_0120A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209A10 NtQuerySection,	3_2_01209A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209A80 NtOpenDirectoryObject,	3_2_01209A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209520 NtWaitForSingleObject,	3_2_01209520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120AD30 NtSetContextThread,	3_2_0120AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209560 NtWriteFile,	3_2_01209560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012095F0 NtQueryInformationFile,	3_2_012095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209730 NtQueryVirtualMemory,	3_2_01209730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120A710 NtOpenProcessToken,	3_2_0120A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209760 NtOpenProcess,	3_2_01209760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209770 NtSetInformationFile,	3_2_01209770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0120A770 NtOpenThread,	3_2_0120A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209FE0 NtCreateMutant,	3_2_01209FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209610 NtEnumerateValueKey,	3_2_01209610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209670 NtQueryInformationProcess,	3_2_01209670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01209650 NtQueryValueKey,	3_2_01209650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012096D0 NtCreateKey,	3_2_012096D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_035F9710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_035F9FE0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_035F9780
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9A50 NtCreateFile,LdrInitializeThunk,	15_2_035F9A50
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F96D0 NtCreateKey,LdrInitializeThunk,	15_2_035F96D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_035F96E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9540 NtReadFile,LdrInitializeThunk,	15_2_035F9540
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_035F9910
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F95D0 NtClose,LdrInitializeThunk,	15_2_035F95D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F99A0 NtCreateSection,LdrInitializeThunk,	15_2_035F99A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9840 NtDelayExecution,LdrInitializeThunk,	15_2_035F9840
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_035F9860
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9770 NtSetInformationFile,	15_2_035F9770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035FA770 NtOpenThread,	15_2_035FA770
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9760 NtOpenProcess,	15_2_035F9760
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035FA710 NtOpenProcessToken,	15_2_035FA710
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9B00 NtSetValueKey,	15_2_035F9B00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9730 NtQueryVirtualMemory,	15_2_035F9730
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035FA3B0 NtGetContextThread,	15_2_035FA3B0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F97A0 NtUnmapViewOfSection,	15_2_035F97A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9650 NtQueryValueKey,	15_2_035F9650
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9670 NtQueryInformationProcess,	15_2_035F9670
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9660 NtAllocateVirtualMemory,	15_2_035F9660
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9610 NtEnumerateValueKey,	15_2_035F9610
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9A10 NtQuerySection,	15_2_035F9A10
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9A00 NtProtectVirtualMemory,	15_2_035F9A00
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9A20 NtResumeThread,	15_2_035F9A20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9A80 NtOpenDirectoryObject,	15_2_035F9A80
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9950 NtQueueApcThread,	15_2_035F9950
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9560 NtWriteFile,	15_2_035F9560
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035FAD30 NtSetContextThread,	15_2_035FAD30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9520 NtWaitForSingleObject,	15_2_035F9520
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F99D0 NtCreateProcessEx,	15_2_035F99D0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F95F0 NtQueryInformationFile,	15_2_035F95F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035FB040 NtSuspendThread,	15_2_035FB040
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F9820 NtEnumerateKey,	15_2_035F9820
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F98F0 NtReadVirtualMemory,	15_2_035F98F0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035F98A0 NtWriteVirtualMemory,	15_2_035F98A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2A070 NtClose,	15_2_00B2A070
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B29FF0 NtReadFile,	15_2_00B29FF0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B29F40 NtCreateFile,	15_2_00B29F40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2A09A NtReadFile,	15_2_00B2A09A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B29FEB NtReadFile,	15_2_00B29FEB
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B29F3A NtCreateFile,	15_2_00B29F3A

Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_007A2050	0_2_007A2050
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_0110DCF4	0_2_0110DCF4
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_0110C148	0_2_0110C148
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_0110E218	0_2_0110E218
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_0110A748	0_2_0110A748
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A553F0	0_2_02A553F0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A55728	0_2_02A55728
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A56458	0_2_02A56458
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A57510	0_2_02A57510
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A50940	0_2_02A50940
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A58CB9	0_2_02A58CB9
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A572F3	0_2_02A572F3
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A553E1	0_2_02A553E1
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A57300	0_2_02A57300
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A55721	0_2_02A55721
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A5348B	0_2_02A5348B
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A53498	0_2_02A53498
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A574F1	0_2_02A574F1
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A56456	0_2_02A56456
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A51548	0_2_02A51548
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A51558	0_2_02A51558
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A51A28	0_2_02A51A28
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A51A17	0_2_02A51A17
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A5ABA8	0_2_02A5ABA8
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A508E0	0_2_02A508E0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A56EE0	0_2_02A56EE0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A56ED0	0_2_02A56ED0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A50FF0	0_2_02A50FF0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A51CA0	0_2_02A51CA0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_02A51CB0	0_2_02A51CB0
Source: C:\Users\user\Desktop\nova narud#U017eba pdf rvP6N.exe	Code function: 0_2_051343DC	0_2_051343DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041E1F9	3_2_0041E1F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041D183	3_2_0041D183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041D186	3_2_0041D186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041E45A	3_2_0041E45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041DDD1	3_2_0041DDD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00409E40	3_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00409E3C	3_2_00409E3C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011CF900	3_2_011CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011E4120	3_2_011E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0129E824	3_2_0129E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01281002	3_2_01281002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012920A8	3_2_012920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011DB090	3_2_011DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F20A0	3_2_011F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012928EC	3_2_012928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01292B28	3_2_01292B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011FEBB0	3_2_011FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012803DA	3_2_012803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0128DBD2	3_2_0128DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012922AE	3_2_012922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01292D07	3_2_01292D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011C0D20	3_2_011C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01291D55	3_2_01291D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011F2581	3_2_011F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_012925DD	3_2_012925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011DD5E0	3_2_011DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011D841F	3_2_011D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0128D466	3_2_0128D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01291FF1	3_2_01291FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0129DFCE	3_2_0129DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_011E6E30	3_2_011E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0128D616	3_2_0128D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_01292EF7	3_2_01292EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_03682B28	15_2_03682B28
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_03681FF1	15_2_03681FF1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_0367DBD2	15_2_0367DBD2
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035EEBB0	15_2_035EEBB0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035D6E30	15_2_035D6E30
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_03682EF7	15_2_03682EF7
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_036822AE	15_2_036822AE
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_03681D55	15_2_03681D55
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035BF900	15_2_035BF900
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_03682D07	15_2_03682D07
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035B0D20	15_2_035B0D20
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035D4120	15_2_035D4120
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035CD5E0	15_2_035CD5E0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035E2581	15_2_035E2581
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035C841F	15_2_035C841F
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_03671002	15_2_03671002
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_036820A8	15_2_036820A8
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035CB090	15_2_035CB090
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_035E20A0	15_2_035E20A0
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2D183	15_2_00B2D183
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2D186	15_2_00B2D186
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2E1F9	15_2_00B2E1F9
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2E45A	15_2_00B2E45A
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B12D90	15_2_00B12D90
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B2DDD1	15_2_00B2DDD1
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B19E3C	15_2_00B19E3C
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B19E40	15_2_00B19E40
Source: C:\Windows\SysWOW64\netsh.exe	Code function: 15_2_00B12FB0	15_2_00B12FB0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report nova narud#U017eba pdf rvP6N.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary: