Loading ...

Play interactive tourEdit tour

Analysis Report PO-RFQ # 097663899.exe

Overview

General Information

Sample Name:PO-RFQ # 097663899.exe
Analysis ID:383978
MD5:3a480d8d735efe129dcccea48a054721
SHA1:444f3d7795694fb3fd462b6cf3f5c2776e4a1196
SHA256:006dcd5baa67723c1d34336ca9d3eb55eb53cdb58999a8c6a3a64b28c2848220
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO-RFQ # 097663899.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\PO-RFQ # 097663899.exe' MD5: 3A480D8D735EFE129DCCCEA48A054721)
    • PO-RFQ # 097663899.exe (PID: 6336 cmdline: C:\Users\user\Desktop\PO-RFQ # 097663899.exe MD5: 3A480D8D735EFE129DCCCEA48A054721)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 7088 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 3136 cmdline: /c del 'C:\Users\user\Desktop\PO-RFQ # 097663899.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.aquaroyaume.com/uabu/"], "decoy": ["khedutbajar.com", "vehicleporn.com", "misanthropedia.com", "partum.life", "tenshinstore.com", "51tayi.com", "rgr.one", "lattakia-imbiss.com", "escalerasdemetal.com", "nationalurc.info", "prettygalglam.com", "globalperfumery.com", "ivulam.xyz", "qingniang.club", "quick2ulube.com", "curiget.xyz", "ujeiakosdka.com", "lacapitalcaferestaurant.com", "agarkovsport.online", "okashidonya.com", "xiaoqiche.net", "solothrone.com", "anilfw.com", "goindutch.com", "buildaputt.com", "salesenablementlaunch.com", "olympicmeados.com", "fastbetusa.com", "lunaferro.com", "realtimesoption.online", "testci20200817122241.com", "smitaaifoods.com", "farmacyfastfood.com", "hecmportal.net", "24410restiveway.com", "aaeonlineaccess.com", "bigbuddyco.com", "banismobarbersop.com", "protectionguru.pro", "almosting.com", "perspectiveofgains.com", "notebankers.com", "southsidesportsmen.com", "kopebitest.com", "santiagosupermarket.com", "cheap.kim", "testjaycypes01.com", "toyota-africa-starlet.com", "sunsetplazaapts.com", "favrrdrones.com", "mayipay9.com", "ahaal20.com", "capitalsportscenter.com", "betslotgames.com", "thejewelcartel.com", "gangubai-ramukaka.com", "virtualmed101.com", "sersali.com", "oldschoolnews.net", "sparta-mc.online", "enisis.info", "denversoccertraining.com", "everythingkeema.com", "assistancephotographe.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        4.2.PO-RFQ # 097663899.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.PO-RFQ # 097663899.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.aquaroyaume.com/uabu/"], "decoy": ["khedutbajar.com", "vehicleporn.com", "misanthropedia.com", "partum.life", "tenshinstore.com", "51tayi.com", "rgr.one", "lattakia-imbiss.com", "escalerasdemetal.com", "nationalurc.info", "prettygalglam.com", "globalperfumery.com", "ivulam.xyz", "qingniang.club", "quick2ulube.com", "curiget.xyz", "ujeiakosdka.com", "lacapitalcaferestaurant.com", "agarkovsport.online", "okashidonya.com", "xiaoqiche.net", "solothrone.com", "anilfw.com", "goindutch.com", "buildaputt.com", "salesenablementlaunch.com", "olympicmeados.com", "fastbetusa.com", "lunaferro.com", "realtimesoption.online", "testci20200817122241.com", "smitaaifoods.com", "farmacyfastfood.com", "hecmportal.net", "24410restiveway.com", "aaeonlineaccess.com", "bigbuddyco.com", "banismobarbersop.com", "protectionguru.pro", "almosting.com", "perspectiveofgains.com", "notebankers.com", "southsidesportsmen.com", "kopebitest.com", "santiagosupermarket.com", "cheap.kim", "testjaycypes01.com", "toyota-africa-starlet.com", "sunsetplazaapts.com", "favrrdrones.com", "mayipay9.com", "ahaal20.com", "capitalsportscenter.com", "betslotgames.com", "thejewelcartel.com", "gangubai-ramukaka.com", "virtualmed101.com", "sersali.com", "oldschoolnews.net", "sparta-mc.online", "enisis.info", "denversoccertraining.com", "everythingkeema.com", "assistancephotographe.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO-RFQ # 097663899.exeVirustotal: Detection: 30%Perma Link
          Source: PO-RFQ # 097663899.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.295102814.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.253183180.0000000004122000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.295070647.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.493447230.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.495271983.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO-RFQ # 097663899.exeJoe Sandbox ML: detected
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO-RFQ # 097663899.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PO-RFQ # 097663899.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: PO-RFQ # 097663899.exe, 00000004.00000002.295144212.0000000000BE8000.00000004.00000020.sdmp
          Source: Binary string: systray.pdbGCTL source: PO-RFQ # 097663899.exe, 00000004.00000002.295144212.0000000000BE8000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO-RFQ # 097663899.exe, 00000004.00000002.295185036.0000000000E80000.00000040.00000001.sdmp, systray.exe, 0000000E.00000002.495692173.0000000005050000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO-RFQ # 097663899.exe, systray.exe

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.aquaroyaume.com/uabu/
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=RBOjcSI+0PCin3DYAfURe2BWN4BeTm/4XrPmNHFHgtwunN92sbbb7RERPNQIss2FkGEY HTTP/1.1Host: www.mayipay9.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?_hrPK=bFc1eA65WhbOipBbmVMfd20rI4CLIGZenFDlnHAQDQVOe5/sLng8MX+h5fYtrCFe3/9q&o0D=jL0LdZHh34d0ut HTTP/1.1Host: www.salesenablementlaunch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=ruxw5m/fBZTANxn0+vJzkbJheatIWyH69nVPD3/Jlr0HuUfdGUrtHvekpNeCw/DRWxiy HTTP/1.1Host: www.oldschoolnews.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?_hrPK=6Zl6RiEYODzPbdy+2wZTGBaD4iiheZyVMMytIIVZHQDK7z0ruM0YoJ4KglarveH57crY&o0D=jL0LdZHh34d0ut HTTP/1.1Host: www.aquaroyaume.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=1HJ8hpHXj7k6l9UeC2bjkMh/CRdcIJGwkP5JhSUqrI08aFfpwfXceIsoU6U6XBnGkY13 HTTP/1.1Host: www.globalperfumery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=KguTjtt16OyzM8616W2q3NqOALXbhZ5U+Dplj7JdQYnMpaKDZTu3BtKCZayxVhVKqktu HTTP/1.1Host: www.kopebitest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=eLrKZiH/4/rcvGguyk8xXNlCiwRhUX1CU5PxP0qOxyscr2i7rTHvuvRLv311KV985405 HTTP/1.1Host: www.farmacyfastfood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?_hrPK=2Uwp0g01JmizGb12EcJoawpAPddW8uWsqbAJ1/nDEFeqLH5icC3QCg1YL+W/1Y8NxrPm&o0D=jL0LdZHh34d0ut HTTP/1.1Host: www.bigbuddyco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=tU/VEHnNkxFTtqdl9k3gLUVMI1i9B27PVJzZPsc0LQ26xNvAL6WXm+9T7cql/MYM9rc5 HTTP/1.1Host: www.agarkovsport.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.218 198.54.117.218
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: NFORCENL NFORCENL
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=RBOjcSI+0PCin3DYAfURe2BWN4BeTm/4XrPmNHFHgtwunN92sbbb7RERPNQIss2FkGEY HTTP/1.1Host: www.mayipay9.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?_hrPK=bFc1eA65WhbOipBbmVMfd20rI4CLIGZenFDlnHAQDQVOe5/sLng8MX+h5fYtrCFe3/9q&o0D=jL0LdZHh34d0ut HTTP/1.1Host: www.salesenablementlaunch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=ruxw5m/fBZTANxn0+vJzkbJheatIWyH69nVPD3/Jlr0HuUfdGUrtHvekpNeCw/DRWxiy HTTP/1.1Host: www.oldschoolnews.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?_hrPK=6Zl6RiEYODzPbdy+2wZTGBaD4iiheZyVMMytIIVZHQDK7z0ruM0YoJ4KglarveH57crY&o0D=jL0LdZHh34d0ut HTTP/1.1Host: www.aquaroyaume.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=1HJ8hpHXj7k6l9UeC2bjkMh/CRdcIJGwkP5JhSUqrI08aFfpwfXceIsoU6U6XBnGkY13 HTTP/1.1Host: www.globalperfumery.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=KguTjtt16OyzM8616W2q3NqOALXbhZ5U+Dplj7JdQYnMpaKDZTu3BtKCZayxVhVKqktu HTTP/1.1Host: www.kopebitest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=eLrKZiH/4/rcvGguyk8xXNlCiwRhUX1CU5PxP0qOxyscr2i7rTHvuvRLv311KV985405 HTTP/1.1Host: www.farmacyfastfood.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?_hrPK=2Uwp0g01JmizGb12EcJoawpAPddW8uWsqbAJ1/nDEFeqLH5icC3QCg1YL+W/1Y8NxrPm&o0D=jL0LdZHh34d0ut HTTP/1.1Host: www.bigbuddyco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uabu/?o0D=jL0LdZHh34d0ut&_hrPK=tU/VEHnNkxFTtqdl9k3gLUVMI1i9B27PVJzZPsc0LQ26xNvAL6WXm+9T7cql/MYM9rc5 HTTP/1.1Host: www.agarkovsport.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mayipay9.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 08 Apr 2021 11:31:55 GMTContent-Type: text/htmlContent-Length: 793Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 47 42 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 57 61 6e 74 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73 69 74 65 3f 20 7c 20 31 32 33 20 52 65 67 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 4c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 2d 75 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 47 65 74 20 6f 6e 6c 69 6e 65 20 77 69 74 68 20 57 65 62 73 69 74 65 20 42 75 69 6c 64 65 72 21 20 43 72 65 61 74 65 20 61 20 66 72 65 65 20 32 2d 70 61 67 65 20 77 65 62 73 69 74 65 20 74 6f 20 67 6f 20 77 69 74 68 20 79 6f 75 72 20 6e 65 77 20 64 6f 6d 61 69 6e 2e 20 53 74 61 72 74 20 6e 6f 77 20 66 6f 72 20 66 72 65 65 2c 20 6e 6f 20 63 72 65 64 69 74 20 63 61 72 64 20 72 65 71 75 69 72 65 64 21 22 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2f 73 74 79 6c 65 73 68 65 65 74 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2d 33 32 78 33 32 2e 70 6e 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 31 32 33 2d 72 65 67 2d 6e 65 77 2d 64 6f 6d 61 69 6e 2e 63 6f 2e 75 6b 2f 69 66 72 61 6d 65 2e 68 74 6d 6c 22 20 77 69 64 74 68 3d 22 31 30 30 25 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 3c 2f 69 66 72 61 6d 65 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en-GB"><head><title>Want your own website? | 123 Reg</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><meta http-equiv="Content-Language" content="en-us" /><meta name="ROBOTS" content="NOINDEX, NOFOLLOW"><meta name="description" content="Get online with Website Builder! Create a free 2-page website to go with your new domain. Start now for free, no credit card required!"/> <meta n
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251630889.000000000307C000.00000004.00000001.sdmp, PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251630889.000000000307C000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.258248209.0000000006FE2000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.280706639.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: PO-RFQ # 097663899.exeString found in binary or memory: https://www.gnu.org
          Source: PO-RFQ # 097663899.exeString found in binary or memory: https://www.gnu.org/licenses/
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.249957275.0000000001198000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.295102814.0000000000BB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.253183180.0000000004122000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.295070647.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.493447230.00000000030D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.495271983.0000000004DB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.295102814.0000000000BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.295102814.0000000000BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.253183180.0000000004122000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.253183180.0000000004122000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.295070647.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.295070647.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.493447230.00000000030D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.493447230.00000000030D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.495271983.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.495271983.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_004181C0 NtCreateFile,4_2_004181C0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00418270 NtReadFile,4_2_00418270
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_004182F0 NtClose,4_2_004182F0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,4_2_004183A0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_004181BA NtCreateFile,4_2_004181BA
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041826A NtReadFile,4_2_0041826A
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_004182EA NtClose,4_2_004182EA
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041839A NtAllocateVirtualMemory,4_2_0041839A
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_00EE98F0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_00EE9860
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9840 NtDelayExecution,LdrInitializeThunk,4_2_00EE9840
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE95D0 NtClose,LdrInitializeThunk,4_2_00EE95D0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE99A0 NtCreateSection,LdrInitializeThunk,4_2_00EE99A0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9540 NtReadFile,LdrInitializeThunk,4_2_00EE9540
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_00EE9910
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_00EE96E0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_00EE9660
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9A50 NtCreateFile,LdrInitializeThunk,4_2_00EE9A50
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9A20 NtResumeThread,LdrInitializeThunk,4_2_00EE9A20
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_00EE9A00
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9FE0 NtCreateMutant,LdrInitializeThunk,4_2_00EE9FE0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_00EE97A0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9780 NtMapViewOfSection,LdrInitializeThunk,4_2_00EE9780
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9710 NtQueryInformationToken,LdrInitializeThunk,4_2_00EE9710
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE98A0 NtWriteVirtualMemory,4_2_00EE98A0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EEB040 NtSuspendThread,4_2_00EEB040
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9820 NtEnumerateKey,4_2_00EE9820
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE95F0 NtQueryInformationFile,4_2_00EE95F0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE99D0 NtCreateProcessEx,4_2_00EE99D0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9560 NtWriteFile,4_2_00EE9560
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9950 NtQueueApcThread,4_2_00EE9950
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9520 NtWaitForSingleObject,4_2_00EE9520
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EEAD30 NtSetContextThread,4_2_00EEAD30
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE96D0 NtCreateKey,4_2_00EE96D0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9A80 NtOpenDirectoryObject,4_2_00EE9A80
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9670 NtQueryInformationProcess,4_2_00EE9670
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9650 NtQueryValueKey,4_2_00EE9650
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9610 NtEnumerateValueKey,4_2_00EE9610
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9A10 NtQuerySection,4_2_00EE9A10
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EEA3B0 NtGetContextThread,4_2_00EEA3B0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9760 NtOpenProcess,4_2_00EE9760
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9770 NtSetInformationFile,4_2_00EE9770
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EEA770 NtOpenThread,4_2_00EEA770
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9730 NtQueryVirtualMemory,4_2_00EE9730
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EE9B00 NtSetValueKey,4_2_00EE9B00
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EEA710 NtOpenProcessToken,4_2_00EEA710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9540 NtReadFile,LdrInitializeThunk,14_2_050B9540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B95D0 NtClose,LdrInitializeThunk,14_2_050B95D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9710 NtQueryInformationToken,LdrInitializeThunk,14_2_050B9710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9780 NtMapViewOfSection,LdrInitializeThunk,14_2_050B9780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9FE0 NtCreateMutant,LdrInitializeThunk,14_2_050B9FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9650 NtQueryValueKey,LdrInitializeThunk,14_2_050B9650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_050B9660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B96D0 NtCreateKey,LdrInitializeThunk,14_2_050B96D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_050B96E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_050B9910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B99A0 NtCreateSection,LdrInitializeThunk,14_2_050B99A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9840 NtDelayExecution,LdrInitializeThunk,14_2_050B9840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_050B9860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9A50 NtCreateFile,LdrInitializeThunk,14_2_050B9A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9520 NtWaitForSingleObject,14_2_050B9520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050BAD30 NtSetContextThread,14_2_050BAD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9560 NtWriteFile,14_2_050B9560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B95F0 NtQueryInformationFile,14_2_050B95F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050BA710 NtOpenProcessToken,14_2_050BA710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9730 NtQueryVirtualMemory,14_2_050B9730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9760 NtOpenProcess,14_2_050B9760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050BA770 NtOpenThread,14_2_050BA770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9770 NtSetInformationFile,14_2_050B9770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B97A0 NtUnmapViewOfSection,14_2_050B97A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9610 NtEnumerateValueKey,14_2_050B9610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9670 NtQueryInformationProcess,14_2_050B9670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9950 NtQueueApcThread,14_2_050B9950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B99D0 NtCreateProcessEx,14_2_050B99D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9820 NtEnumerateKey,14_2_050B9820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050BB040 NtSuspendThread,14_2_050BB040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B98A0 NtWriteVirtualMemory,14_2_050B98A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B98F0 NtReadVirtualMemory,14_2_050B98F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9B00 NtSetValueKey,14_2_050B9B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050BA3B0 NtGetContextThread,14_2_050BA3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9A00 NtProtectVirtualMemory,14_2_050B9A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9A10 NtQuerySection,14_2_050B9A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9A20 NtResumeThread,14_2_050B9A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050B9A80 NtOpenDirectoryObject,14_2_050B9A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E83A0 NtAllocateVirtualMemory,14_2_030E83A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E8270 NtReadFile,14_2_030E8270
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E82F0 NtClose,14_2_030E82F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E81C0 NtCreateFile,14_2_030E81C0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E839A NtAllocateVirtualMemory,14_2_030E839A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E826A NtReadFile,14_2_030E826A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E82EA NtClose,14_2_030E82EA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030E81BA NtCreateFile,14_2_030E81BA
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 0_2_013E94A80_2_013E94A8
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 0_2_013EDB4C0_2_013EDB4C
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 0_2_013EC1480_2_013EC148
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 0_2_013EE2110_2_013EE211
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 0_2_013EA7580_2_013EA758
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041C07D4_2_0041C07D
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041B8C54_2_0041B8C5
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0040117B4_2_0040117B
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041C1DC4_2_0041C1DC
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041BAF24_2_0041BAF2
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041C3884_2_0041C388
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00408C5E4_2_00408C5E
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00408C604_2_00408C60
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041B4994_2_0041B499
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041B4A64_2_0041B4A6
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041C5A84_2_0041C5A8
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041BE7E4_2_0041BE7E
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041BE124_2_0041BE12
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041CE304_2_0041CE30
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_0041BF6A4_2_0041BF6A
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00ED20A04_2_00ED20A0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F720A84_2_00F720A8
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EBB0904_2_00EBB090
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F610024_2_00F61002
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EB841F4_2_00EB841F
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EBD5E04_2_00EBD5E0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00ED25814_2_00ED2581
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F71D554_2_00F71D55
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EA0D204_2_00EA0D20
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EC41204_2_00EC4120
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EAF9004_2_00EAF900
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F72D074_2_00F72D07
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F72EF74_2_00F72EF7
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F722AE4_2_00F722AE
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EC6E304_2_00EC6E30
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F71FF14_2_00F71FF1
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00EDEBB04_2_00EDEBB0
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: 4_2_00F72B284_2_00F72B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05142D0714_2_05142D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05070D2014_2_05070D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05141D5514_2_05141D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050A258114_2_050A2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_051425DD14_2_051425DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0508D5E014_2_0508D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0508841F14_2_0508841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0513D46614_2_0513D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05141FF114_2_05141FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0513D61614_2_0513D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05096E3014_2_05096E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05142EF714_2_05142EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0507F90014_2_0507F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0509412014_2_05094120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0513100214_2_05131002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0508B09014_2_0508B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050A20A014_2_050A20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_051420A814_2_051420A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_051428EC14_2_051428EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_05142B2814_2_05142B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_050AEBB014_2_050AEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_0513DBD214_2_0513DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_051422AE14_2_051422AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030EB8C514_2_030EB8C5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030D2FB014_2_030D2FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030ECE3114_2_030ECE31
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030D2D8714_2_030D2D87
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030D2D9014_2_030D2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030EC5A814_2_030EC5A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030D8C5E14_2_030D8C5E
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030D8C6014_2_030D8C60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030EB49914_2_030EB499
          Source: C:\Windows\SysWOW64\systray.exeCode function: 14_2_030EB4A614_2_030EB4A6
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0507B150 appears 35 times
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeCode function: String function: 00EAB150 appears 35 times
          Source: PO-RFQ # 097663899.exeBinary or memory string: OriginalFilename vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.260803980.0000000007560000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251630889.000000000307C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.249957275.0000000001198000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exeBinary or memory string: OriginalFilename vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exe, 00000004.00000002.295144212.0000000000BE8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exe, 00000004.00000002.295297599.0000000000F9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exeBinary or memory string: OriginalFilenameUrl.exeB vs PO-RFQ # 097663899.exe
          Source: PO-RFQ # 097663899.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.494247845.0000000003310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.294733318.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.295102814.0000000000BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.295102814.0000000000BB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.253183180.0000000004122000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.253183180.0000000004122000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.295070647.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.295070647.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.493447230.00000000030D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.493447230.00000000030D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.495271983.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.495271983.0000000004DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.PO-RFQ # 097663899.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PO-RFQ # 097663899.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@14/8
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-RFQ # 097663899.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:800:120:WilError_01
          Source: PO-RFQ # 097663899.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO-RFQ # 097663899.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: PO-RFQ # 097663899.exe, 00000000.00000002.251568438.0000000003061000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: PO-R