Analysis Report #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Overview

General Information

Sample Name:	#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Analysis ID:	385277
MD5:	525cb22afe0244e45b2831b243b27a68
SHA1:	df33a4a91f50e49ee7c3283b1022024fca7ceade
SHA256:	bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034
Tags:	exeFormbookgeoKOR
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.visitmatchgo.com/duy/"], "decoy": ["tychzh.net", "seafoodrambler.com", "sustainablyoutdoors.com", "ngisolomba.club", "pocee.com", "toshaliusa.com", "authenticpickleball.com", "2jm.guru", "site4v.com", "earlywarningsigns.com", "freekwennekers.com", "noelgift.store", "timaloney.com", "scotlandluxurylodges.com", "xevroruwf.icu", "ideasforgoodcourse.com", "feederscup.com", "kabutostrength.com", "studiomileend.com", "restaurantenelia.com", "kentbranding.company", "whitelinen.house", "mighty.zone", "bigsky3percent.com", "satelliteshows.com", "hlbrock.com", "xn--tssla-gra.com", "theholisticmix.com", "therealdmu.com", "lentiacontattoeshop.com", "uhejcjew.icu", "casnop.com", "lavisheclothiers.com", "topelevenhackcheatz.com", "monterklime.com", "fanoosbattery.com", "laramsmatter.com", "morrolion.com", "itstime4recess.com", "leeurgentcare.com", "panamienne.com", "implementbiosegurityoneline.com", "roseyogacoach.com", "domennyarendi19.net", "antsclassic.win", "soredecoraciones.com", "thelittlejetscompany.com", "culturasoft.net", "aajfw.xyz", "thedreamdistrict.com", "gmgdr.com", "releasement.solutions", "ditrdan.com", "ecoshoplanet.com", "boblikescock.com", "cotizalo.online", "gulastivbgone.xyz", "quelastimamiguelito.com", "tld-qa.com", "14pro.com", "michaeljoycetennis.com", "petrickpetmarket.xyz", "agilearccreations.com", "281as39.xyz"]}

Multi AV Scanner detection for domain / URL

Source: www.visitmatchgo.com/duy/

Virustotal: Detection: 7%

Perma Link

Multi AV Scanner detection for submitted file

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Virustotal: Detection: 26%			Perma Link
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	ReversingLabs: Detection: 20%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338606384.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000005.00000002.338686497.000000000188F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.visitmatchgo.com/duy/

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338606384.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.338606384.0000000004249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.338606384.0000000004249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00419DB2 NtCreateFile,	5_2_00419DB2
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00419E0B NtReadFile,	5_2_00419E0B
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_017D9860
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_017D9660
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_017D96E0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9950 NtQueueApcThread,	5_2_017D9950
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9910 NtAdjustPrivilegesToken,	5_2_017D9910
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D99D0 NtCreateProcessEx,	5_2_017D99D0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D99A0 NtCreateSection,	5_2_017D99A0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017DB040 NtSuspendThread,	5_2_017DB040
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9840 NtDelayExecution,	5_2_017D9840
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9820 NtEnumerateKey,	5_2_017D9820
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D98F0 NtReadVirtualMemory,	5_2_017D98F0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D98A0 NtWriteVirtualMemory,	5_2_017D98A0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9B00 NtSetValueKey,	5_2_017D9B00
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017DA3B0 NtGetContextThread,	5_2_017DA3B0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9A50 NtCreateFile,	5_2_017D9A50
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9A20 NtResumeThread,	5_2_017D9A20
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9A10 NtQuerySection,	5_2_017D9A10
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9A00 NtProtectVirtualMemory,	5_2_017D9A00
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9A80 NtOpenDirectoryObject,	5_2_017D9A80
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9560 NtWriteFile,	5_2_017D9560
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9540 NtReadFile,	5_2_017D9540
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017DAD30 NtSetContextThread,	5_2_017DAD30
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9520 NtWaitForSingleObject,	5_2_017D9520
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D95F0 NtQueryInformationFile,	5_2_017D95F0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D95D0 NtClose,	5_2_017D95D0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017DA770 NtOpenThread,	5_2_017DA770
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9770 NtSetInformationFile,	5_2_017D9770
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9760 NtOpenProcess,	5_2_017D9760
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9730 NtQueryVirtualMemory,	5_2_017D9730
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9710 NtQueryInformationToken,	5_2_017D9710
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017DA710 NtOpenProcessToken,	5_2_017DA710
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9FE0 NtCreateMutant,	5_2_017D9FE0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D97A0 NtUnmapViewOfSection,	5_2_017D97A0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9780 NtMapViewOfSection,	5_2_017D9780
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9670 NtQueryInformationProcess,	5_2_017D9670
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9650 NtQueryValueKey,	5_2_017D9650
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D9610 NtEnumerateValueKey,	5_2_017D9610
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017D96D0 NtCreateKey,	5_2_017D96D0

Detected potential crypto function

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 0_2_00D5A448	0_2_00D5A448
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 0_2_016AC164	0_2_016AC164
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 0_2_016AE5A0	0_2_016AE5A0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 0_2_016AE5B0	0_2_016AE5B0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 3_2_002AA448	3_2_002AA448
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 4_2_001DA448	4_2_001DA448
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041E808	5_2_0041E808
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041D8E1	5_2_0041D8E1
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041E8E8	5_2_0041E8E8
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041DB55	5_2_0041DB55
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041D321	5_2_0041D321
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00402D8B	5_2_00402D8B
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00409E3B	5_2_00409E3B
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041DFCA	5_2_0041DFCA
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_00BEA448	5_2_00BEA448
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B4120	5_2_017B4120
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0179F900	5_2_0179F900
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017AC1C0	5_2_017AC1C0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B99BF	5_2_017B99BF
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B2990	5_2_017B2990
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018620A8	5_2_018620A8
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017BA830	5_2_017BA830
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017C701D	5_2_017C701D
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018628EC	5_2_018628EC
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018560F5	5_2_018560F5
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01796800	5_2_01796800
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01851002	5_2_01851002
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0186E824	5_2_0186E824
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017C20A0	5_2_017C20A0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017AB090	5_2_017AB090
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0183EB8A	5_2_0183EB8A
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B3360	5_2_017B3360
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017BAB40	5_2_017BAB40
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0185DBD2	5_2_0185DBD2
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018503DA	5_2_018503DA
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018423E3	5_2_018423E3
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017BA309	5_2_017BA309
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017E8BE8	5_2_017E8BE8
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0185231B	5_2_0185231B
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017CABD8	5_2_017CABD8
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01862B28	5_2_01862B28
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017CEBB0	5_2_017CEBB0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0183CB4F	5_2_0183CB4F
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017BEB9A	5_2_017BEB9A
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017C138B	5_2_017C138B
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018622AE	5_2_018622AE
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018632A9	5_2_018632A9
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0185E2C5	5_2_0185E2C5
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017BB236	5_2_017BB236
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01854AEF	5_2_01854AEF
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0184FA2B	5_2_0184FA2B
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01855A4F	5_2_01855A4F
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01852D82	5_2_01852D82
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B2D50	5_2_017B2D50
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01790D20	5_2_01790D20
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018625DD	5_2_018625DD
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01862D07	5_2_01862D07
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017AD5E0	5_2_017AD5E0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01861D55	5_2_01861D55
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017C65A0	5_2_017C65A0
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017C2581	5_2_017C2581
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017BB477	5_2_017BB477
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01854496	5_2_01854496
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B2430	5_2_017B2430
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017A841F	5_2_017A841F
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017C4CD4	5_2_017C4CD4
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0185D466	5_2_0185D466
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0186DFCE	5_2_0186DFCE
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_018567E2	5_2_018567E2
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01861FF1	5_2_01861FF1
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01841EB6	5_2_01841EB6
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B6E30	5_2_017B6E30
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_01862EF7	5_2_01862EF7
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017B5600	5_2_017B5600
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0185D616	5_2_0185D616
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0181AE60	5_2_0181AE60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: String function: 01825720 appears 81 times
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: String function: 0179B150 appears 159 times
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: String function: 017ED08C appears 47 times

Sample file is different than original file name gathered from version info

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Binary or memory string: OriginalFilename vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.338465475.0000000003221000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.343689465.00000000062A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Binary or memory string: OriginalFilename vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Binary or memory string: OriginalFilename vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Binary or memory string: OriginalFilename vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000005.00000002.338686497.000000000188F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Binary or memory string: OriginalFilenameu4tB.exeH vs #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Uses 32bit PE files

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.337974724.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.338606384.0000000004249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.338606384.0000000004249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@0/0

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe.log

Source: unknown	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe 'C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe'
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe {path}
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe {path}
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe {path}
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process created: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041E8E8 push dword ptr [CAB1F56Bh]; ret	5_2_0041EB24
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_004196C2 push esi; ret	5_2_004196CB
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_0041670C push 9412890Ah; iretd	5_2_00416711
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Code function: 5_2_017ED0D1 push ecx; ret	5_2_017ED0E4

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe TID: 6480	Thread sleep time: -31500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe TID: 6520	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Thread delayed: delay time: 31500			Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe, 00000000.00000002.344745287.0000000006736000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Queries volume information: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

ID:	385277
Product:	CloudBasic
Start time:	09:30:08
Start date:	12.04.2021
Sample:	#Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	525cb22afe0244e45b2831b243b27a68
SHA1:	df33a4a91f50e49ee7c3283b1022024fca7ceade
SHA256:	bcbdc1722d82cfdd00d6748654937dd6e79b81661df159ea9387d61f3ed38034
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Analysis Report #Ud55c#Ub77c#Uc0b0#Uc5c5#Uac1c#Ubc1c(2021.04.12).exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs