Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Sample Name:	Quotation-4834898943949883.pdf.exe
Analysis ID:	383932
MD5:	ba34da45fb03afddde208fd6458ac143
SHA1:	e132408554f22f314f3e4e151d931de1d3e623e1
SHA256:	f7b3ef9d4ac8560bf644a3f3039a32f568563d3299273073abe31fa19ed6470e
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: www.liveonlinehdplay24.com/kzsw/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.liveonlinehdplay24.com/kzsw/"], "decoy": ["thelargedoor.com", "newcuus.com", "tgc.xyz", "americanrvwarranties.com", "deroshop.com", "wagyu-importer.com", "frbhomeloan.com", "taniabeautysalonspa.com", "nac-alerton.com", "ordersudsy.com", "villagegardengreeley.com", "locksmithpembrokepines.com", "rafsanjan.net", "jumlasx.xyz", "supermercadoveganmadrid.com", "rubsalmon.com", "glenhelensaturdaymotocross.com", "jichuang888.club", "aajnv.com", "stackablesllc.com", "elevatebuilder.com", "higrandtechnologies.com", "lssqzyg.com", "zjszxs.com", "ssgasiu.com", "brianterrymarketing.com", "nyatiera.com", "elemetasu.com", "larouedesecours.info", "customerye.com", "riotgentler.com", "wwwjeansjewerlys.com", "egyptcon.com", "hona-iq.com", "residsfranchise.com", "flamingogrouprealty.com", "windycitywoodturners.club", "maineguidedfishing.com", "krushirajyafarms.com", "scottsdaledrycleanaz.com", "eisdjsd.asia", "gelgoodplus.com", "numericcarbon.com", "zszq665.com", "researchripples.com", "pravschool.com", "lanshan1688.com", "bashcovid19.com", "enableauth.com", "azbibi.com", "nearyapi.com", "cqshenchi.com", "ipandasz.com", "persero14.com", "lemonadecrystal.com", "sekrema2049.com", "chilternss.com", "bestsgiftstore.com", "vlansi.icu", "namasteyg.com", "msjshelfit.com", "harbee.net", "smiley.team", "sopnosoft.com"]}

Multi AV Scanner detection for submitted file

Source: Quotation-4834898943949883.pdf.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: Quotation-4834898943949883.pdf.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Quotation-4834898943949883.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.670713735.0000000001710000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Quotation-4834898943949883.pdf.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04C81B98
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04C81BA8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_073CFB08
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop esi	4_2_004172DB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop ebx	4_2_00407B04
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4x nop then pop edi	4_2_00417D8E

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.liveonlinehdplay24.com/kzsw/

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670815248.0000000002C01000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000002.670934417.0000000002C9E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670934417.0000000002C9E000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTF
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675185343.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.655212335.0000000005CCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnate0
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.655212335.0000000005CCE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnrig
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.659748125.0000000005CCA000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp, Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/=
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/A
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/B
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.656963455.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/n
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Z
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/g
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657411914.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657704554.0000000005CCA000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.656963455.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000003.657531967.0000000005CCC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.675247066.0000000005DB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670586004.00000000010CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe
Source: initial sample	Static PE information: Filename: Quotation-4834898943949883.pdf.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6688 NtQueryInformationProcess,	0_2_073C6688
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6680 NtQueryInformationProcess,	0_2_073C6680
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A05A NtClose,	4_2_0041A05A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041A10D NtAllocateVirtualMemory,	4_2_0041A10D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00419FDB NtCreateFile,NtReadFile,	4_2_00419FDB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01779860
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01779660
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017796E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_017796E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779950 NtQueueApcThread,	4_2_01779950
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779910 NtAdjustPrivilegesToken,	4_2_01779910
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017799D0 NtCreateProcessEx,	4_2_017799D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017799A0 NtCreateSection,	4_2_017799A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177B040 NtSuspendThread,	4_2_0177B040
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779840 NtDelayExecution,	4_2_01779840
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779820 NtEnumerateKey,	4_2_01779820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017798F0 NtReadVirtualMemory,	4_2_017798F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017798A0 NtWriteVirtualMemory,	4_2_017798A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779B00 NtSetValueKey,	4_2_01779B00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177A3B0 NtGetContextThread,	4_2_0177A3B0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A50 NtCreateFile,	4_2_01779A50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A20 NtResumeThread,	4_2_01779A20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A10 NtQuerySection,	4_2_01779A10
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A00 NtProtectVirtualMemory,	4_2_01779A00
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779A80 NtOpenDirectoryObject,	4_2_01779A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779560 NtWriteFile,	4_2_01779560
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779540 NtReadFile,	4_2_01779540
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177AD30 NtSetContextThread,	4_2_0177AD30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779520 NtWaitForSingleObject,	4_2_01779520
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017795F0 NtQueryInformationFile,	4_2_017795F0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017795D0 NtClose,	4_2_017795D0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177A770 NtOpenThread,	4_2_0177A770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779770 NtSetInformationFile,	4_2_01779770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779760 NtOpenProcess,	4_2_01779760
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779730 NtQueryVirtualMemory,	4_2_01779730
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779710 NtQueryInformationToken,	4_2_01779710
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0177A710 NtOpenProcessToken,	4_2_0177A710
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779FE0 NtCreateMutant,	4_2_01779FE0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017797A0 NtUnmapViewOfSection,	4_2_017797A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779780 NtMapViewOfSection,	4_2_01779780
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779670 NtQueryInformationProcess,	4_2_01779670
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779650 NtQueryValueKey,	4_2_01779650
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01779610 NtEnumerateValueKey,	4_2_01779610

Detected potential crypto function

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_04C80448	0_2_04C80448
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_04C81770	0_2_04C81770
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5300	0_2_073C5300
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6FC0	0_2_073C6FC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1ED8	0_2_073C1ED8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6FB6	0_2_073C6FB6
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C2A08	0_2_073C2A08
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1A70	0_2_073C1A70
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C06B9	0_2_073C06B9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1A80	0_2_073C1A80
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C52EF	0_2_073C52EF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C06C8	0_2_073C06C8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1ECA	0_2_073C1ECA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8518	0_2_073C8518
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8508	0_2_073C8508
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C2978	0_2_073C2978
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C29BF	0_2_073C29BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C11A0	0_2_073C11A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5598	0_2_073C5598
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1190	0_2_073C1190
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5588	0_2_073C5588
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C89F8	0_2_073C89F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C89E8	0_2_073C89E8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6820	0_2_073C6820
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1810	0_2_073C1810
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C6812	0_2_073C6812
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1800	0_2_073C1800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5C78	0_2_073C5C78
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1CB1	0_2_073C1CB1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C5C88	0_2_073C5C88
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8CE8	0_2_073C8CE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C8CD8	0_2_073C8CD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C1CC0	0_2_073C1CC0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401028	4_2_00401028
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D91B	4_2_0041D91B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041E1A8	4_2_0041E1A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D21B	4_2_0041D21B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041ECBA	4_2_0041ECBA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00409E3B	4_2_00409E3B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041E7BA	4_2_0041E7BA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01754120	4_2_01754120
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0173F900	4_2_0173F900
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017599BF	4_2_017599BF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752990	4_2_01752990
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018020A8	4_2_018020A8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A830	4_2_0175A830
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018028EC	4_2_018028EC
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01736800	4_2_01736800
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F1002	4_2_017F1002
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180E824	4_2_0180E824
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017620A0	4_2_017620A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174B090	4_2_0174B090
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01753360	4_2_01753360
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DCB4F	4_2_017DCB4F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175AB40	4_2_0175AB40
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F231B	4_2_017F231B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175A309	4_2_0175A309
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01788BE8	4_2_01788BE8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017E23E3	4_2_017E23E3
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F03DA	4_2_017F03DA
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01802B28	4_2_01802B28
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FDBD2	4_2_017FDBD2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176ABD8	4_2_0176ABD8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176EBB0	4_2_0176EBB0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175EB9A	4_2_0175EB9A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017DEB8A	4_2_017DEB8A
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0176138B	4_2_0176138B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018032A9	4_2_018032A9
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018022AE	4_2_018022AE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B236	4_2_0175B236
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017EFA2B	4_2_017EFA2B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4AEF	4_2_017F4AEF
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FE2C5	4_2_017FE2C5
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752D50	4_2_01752D50
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01730D20	4_2_01730D20
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_018025DD	4_2_018025DD
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01802D07	4_2_01802D07
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174D5E0	4_2_0174D5E0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01801D55	4_2_01801D55
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017665A0	4_2_017665A0
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01762581	4_2_01762581
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F2D82	4_2_017F2D82
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0175B477	4_2_0175B477
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FD466	4_2_017FD466
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01752430	4_2_01752430
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0174841F	4_2_0174841F
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F4496	4_2_017F4496
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0180DFCE	4_2_0180DFCE
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01801FF1	4_2_01801FF1
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017F67E2	4_2_017F67E2
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017BAE60	4_2_017BAE60
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01756E30	4_2_01756E30
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_017FD616	4_2_017FD616
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01755600	4_2_01755600
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_01802EF7	4_2_01802EF7

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0173B150 appears 154 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 0178D08C appears 40 times
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: String function: 017C5720 appears 78 times

PE file contains strange resources

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.676889901.0000000008C00000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.676251652.0000000007330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.676714401.0000000008AE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670058848.00000000009A8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670586004.00000000010CB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.671469145.00000000019BF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe, 00000004.00000002.670473061.0000000000D28000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamec.exe4 vs Quotation-4834898943949883.pdf.exe
Source: Quotation-4834898943949883.pdf.exe	Binary or memory string: OriginalFilenamec.exe4 vs Quotation-4834898943949883.pdf.exe

Uses 32bit PE files

Source: Quotation-4834898943949883.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.672325771.0000000003CCC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.670284785.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quotation-4834898943949883.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: Quotation-4834898943949883.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation-4834898943949883.pdf.exe.log

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: unknown	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe 'C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe'
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process created: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 0_2_073C7408 pushad ; iretd	0_2_073C7409
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041702F push ds; ret	4_2_004170F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_004170F9 push ds; ret	4_2_004170F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040F1E9 push ecx; iretd	4_2_0040F1EB
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00417988 push ebp; iretd	4_2_00417989
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040E40C push eax; ret	4_2_0040E420
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0040E421 push ebx; iretd	4_2_0040E42B
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00416567 push 0C21EF33h; retf	4_2_0041656D
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041E571 push eax; ret	4_2_0041E573
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0041663D push es; retf	4_2_0041664C
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_00416FD9 push ds; ret	4_2_004170F8
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Code function: 4_2_0178D0D1 push ecx; ret	4_2_0178D0E4

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation-4834898943949883.pdf.exe PID: 7052, type: MEMORY

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 7056	Thread sleep time: -103486s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe TID: 7072	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 103486			Jump to behavior
Source: C:\Users\user\Desktop\Quotation-4834898943949883.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Quotation-4834898943949883.pdf.exe, 00000000.00000002.670882860.0000000002C57000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

ID:	383932
Product:	CloudBasic
Start time:	12:41:32
Start date:	08.04.2021
Sample:	Quotation-4834898943949883.pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ba34da45fb03afddde208fd6458ac143
SHA1:	e132408554f22f314f3e4e151d931de1d3e623e1
SHA256:	f7b3ef9d4ac8560bf644a3f3039a32f568563d3299273073abe31fa19ed6470e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report Quotation-4834898943949883.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs