Loading ...

Play interactive tourEdit tour

Analysis Report Quotation.exe

Overview

General Information

Sample Name:Quotation.exe
Analysis ID:383984
MD5:1f86caaa19912ceb55c9f6121eb692bb
SHA1:2d4dd95fdb17937b22a3d6a41862704ed80acf70
SHA256:8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation.exe (PID: 6372 cmdline: 'C:\Users\user\Desktop\Quotation.exe' MD5: 1F86CAAA19912CEB55C9F6121EB692BB)
    • Quotation.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\Quotation.exe' MD5: 1F86CAAA19912CEB55C9F6121EB692BB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6916 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 7012 cmdline: /c del 'C:\Users\user\Desktop\Quotation.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.Quotation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.Quotation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.Quotation.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Quotation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Quotation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsu4E63.tmp\laegtoh4.dllReversingLabs: Detection: 12%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Quotation.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPE
          Source: 8.2.netsh.exe.2f15d18.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.Quotation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.netsh.exe.398f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Quotation.exe.1eb40000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Quotation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Quotation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: netsh.pdb source: Quotation.exe, 00000001.00000002.278705852.0000000000799000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 00000000.00000003.232762609.000000001ED00000.00000004.00000001.sdmp, Quotation.exe, 00000001.00000002.278883412.0000000000BD0000.00000040.00000001.sdmp, netsh.exe, 00000008.00000002.498460842.0000000003460000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: Quotation.exe, 00000001.00000002.278705852.0000000000799000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: Quotation.exe, netsh.exe
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_0040531D
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405CB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 4x nop then pop esi1_2_004172F0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 4x nop then pop esi1_1_004172F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi8_2_02BB72F0

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49717 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 198.54.117.216:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 198.54.117.216:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49729 -> 198.54.117.216:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.riceandginger.com/fcn/
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uG HTTP/1.1Host: www.xyfs360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/V HTTP/1.1Host: www.houseof2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.clickqrcoaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.216 198.54.117.216
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=SEmbethRuJUohlQz+Ttvx+iBOmYZkGVPsXZysf/6weMAgxRZQrWYJhCujRXBjoMPQ+uG HTTP/1.1Host: www.xyfs360.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?wZALH=PToxs4gHMXctdDo&ndsxlrp=liB0icShPNod4xlpu/WXKffa+vmxvgDQmU6O7prVAXsGW3hWFkE60zcwKq/t6p2og2/V HTTP/1.1Host: www.houseof2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fcn/?ndsxlrp=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&wZALH=PToxs4gHMXctdDo HTTP/1.1Host: www.clickqrcoaster.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.xyfs360.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: netsh.exe, 00000008.00000002.501631169.0000000003E7F000.00000004.00000001.sdmpString found in binary or memory: http://www.NameBright.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: netsh.exe, 00000008.00000002.501631169.0000000003E7F000.00000004.00000001.sdmpString found in binary or memory: http://www.namebrightstatic.com/images/logo_off.gif)
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.260010429.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EBC

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation.exe.1eb40000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quotation.exe.1eb40000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Quotation.exe
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419DB3 NtReadFile,1_2_00419DB3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00419F3B NtAllocateVirtualMemory,1_2_00419F3B
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C398F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00C398F0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39840 NtDelayExecution,LdrInitializeThunk,1_2_00C39840
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00C39860
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C399A0 NtCreateSection,LdrInitializeThunk,1_2_00C399A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00C39910
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A50 NtCreateFile,LdrInitializeThunk,1_2_00C39A50
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00C39A00
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A20 NtResumeThread,LdrInitializeThunk,1_2_00C39A20
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C395D0 NtClose,LdrInitializeThunk,1_2_00C395D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39540 NtReadFile,LdrInitializeThunk,1_2_00C39540
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C396E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00C396E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00C39660
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39780 NtMapViewOfSection,LdrInitializeThunk,1_2_00C39780
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C397A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00C397A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39710 NtQueryInformationToken,LdrInitializeThunk,1_2_00C39710
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C398A0 NtWriteVirtualMemory,1_2_00C398A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3B040 NtSuspendThread,1_2_00C3B040
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39820 NtEnumerateKey,1_2_00C39820
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C399D0 NtCreateProcessEx,1_2_00C399D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39950 NtQueueApcThread,1_2_00C39950
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A80 NtOpenDirectoryObject,1_2_00C39A80
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39A10 NtQuerySection,1_2_00C39A10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3A3B0 NtGetContextThread,1_2_00C3A3B0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39B00 NtSetValueKey,1_2_00C39B00
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C395F0 NtQueryInformationFile,1_2_00C395F0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39560 NtWriteFile,1_2_00C39560
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39520 NtWaitForSingleObject,1_2_00C39520
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3AD30 NtSetContextThread,1_2_00C3AD30
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C396D0 NtCreateKey,1_2_00C396D0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39650 NtQueryValueKey,1_2_00C39650
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39670 NtQueryInformationProcess,1_2_00C39670
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39610 NtEnumerateValueKey,1_2_00C39610
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39FE0 NtCreateMutant,1_2_00C39FE0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39760 NtOpenProcess,1_2_00C39760
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39770 NtSetInformationFile,1_2_00C39770
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3A770 NtOpenThread,1_2_00C3A770
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C3A710 NtOpenProcessToken,1_2_00C3A710
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C39730 NtQueryVirtualMemory,1_2_00C39730
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9710 NtQueryInformationToken,LdrInitializeThunk,8_2_034C9710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9FE0 NtCreateMutant,LdrInitializeThunk,8_2_034C9FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9780 NtMapViewOfSection,LdrInitializeThunk,8_2_034C9780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A50 NtCreateFile,LdrInitializeThunk,8_2_034C9A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C96D0 NtCreateKey,LdrInitializeThunk,8_2_034C96D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_034C96E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9540 NtReadFile,LdrInitializeThunk,8_2_034C9540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_034C9910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C95D0 NtClose,LdrInitializeThunk,8_2_034C95D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C99A0 NtCreateSection,LdrInitializeThunk,8_2_034C99A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9840 NtDelayExecution,LdrInitializeThunk,8_2_034C9840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_034C9860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9760 NtOpenProcess,8_2_034C9760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9770 NtSetInformationFile,8_2_034C9770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CA770 NtOpenThread,8_2_034CA770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9B00 NtSetValueKey,8_2_034C9B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CA710 NtOpenProcessToken,8_2_034CA710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9730 NtQueryVirtualMemory,8_2_034C9730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C97A0 NtUnmapViewOfSection,8_2_034C97A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CA3B0 NtGetContextThread,8_2_034CA3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9650 NtQueryValueKey,8_2_034C9650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9660 NtAllocateVirtualMemory,8_2_034C9660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9670 NtQueryInformationProcess,8_2_034C9670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A00 NtProtectVirtualMemory,8_2_034C9A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9610 NtEnumerateValueKey,8_2_034C9610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A10 NtQuerySection,8_2_034C9A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A20 NtResumeThread,8_2_034C9A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9A80 NtOpenDirectoryObject,8_2_034C9A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9950 NtQueueApcThread,8_2_034C9950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9560 NtWriteFile,8_2_034C9560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9520 NtWaitForSingleObject,8_2_034C9520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CAD30 NtSetContextThread,8_2_034CAD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C99D0 NtCreateProcessEx,8_2_034C99D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C95F0 NtQueryInformationFile,8_2_034C95F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034CB040 NtSuspendThread,8_2_034CB040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C9820 NtEnumerateKey,8_2_034C9820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C98F0 NtReadVirtualMemory,8_2_034C98F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034C98A0 NtWriteVirtualMemory,8_2_034C98A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9E90 NtClose,8_2_02BB9E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9E10 NtReadFile,8_2_02BB9E10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9D60 NtCreateFile,8_2_02BB9D60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9E8A NtClose,8_2_02BB9E8A
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BB9DB3 NtReadFile,8_2_02BB9DB3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403166
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004046C30_2_004046C3
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004060D90_2_004060D9
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 0_2_004068B00_2_004068B0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004010271_2_00401027
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041E1001_2_0041E100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041E2461_2_0041E246
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041DF121_2_0041DF12
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0041DF1C1_2_0041DF1C
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC28EC1_2_00CC28EC
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0B0901_2_00C0B090
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C220A01_2_00C220A0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC20A81_2_00CC20A8
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CB10021_2_00CB1002
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CCE8241_2_00CCE824
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BFF9001_2_00BFF900
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C141201_2_00C14120
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC22AE1_2_00CC22AE
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBDBD21_2_00CBDBD2
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C2EBB01_2_00C2EBB0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC2B281_2_00CC2B28
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBD4661_2_00CBD466
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0841F1_2_00C0841F
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC25DD1_2_00CC25DD
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C0D5E01_2_00C0D5E0
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC1D551_2_00CC1D55
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00BF0D201_2_00BF0D20
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC2D071_2_00CC2D07
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC2EF71_2_00CC2EF7
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CBD6161_2_00CBD616
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00C16E301_2_00C16E30
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00CC1FF11_2_00CC1FF1
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_004010271_1_00401027
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_0041E1001_1_0041E100
          Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_1_0041E2461_1_0041E246
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034BEBB08_2_034BEBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A6E308_2_034A6E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03551D558_2_03551D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0348F9008_2_0348F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03480D208_2_03480D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_034A41208_2_034A4120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_035410028_2_03541002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_0349B0908_2_0349B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBE2468_2_02BBE246
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBE1008_2_02BBE100
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA9E3C8_2_02BA9E3C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA9E408_2_02BA9E40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA2FB08_2_02BA2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBDF1C8_2_02BBDF1C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BBDF128_2_02BBDF12
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_02BA2D908_2_02BA2D90
          Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 00BFB150 appears 35 times
          Source: Quotation.exe, 00000000.00000003.236412291.000000001ECB6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
          Source: Quotation.exe, 00000000.00000002.242016768.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameAVICAP32.DLL.MUIj% vs Quotation.exe
          Source: Quotation.exe, 00000000.00000002.242012748.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs Quotation.exe
          Source: Quotation.exe, 00000001.00000002.278859602.000000000096C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs Quotation.exe
          Source: Quotation.exe, 00000001.00000002.279247489.0000000000E7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
          Source: Quotation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.237394511.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.278547391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496739110.0000000002BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.497353357.0000000002E70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.497393185.0000000002EA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.242716511.000000001EB40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.278753698.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.278664638.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fk