Loading ...

Play interactive tourEdit tour

Analysis Report payment advice_mt103645367.exe

Overview

General Information

Sample Name:payment advice_mt103645367.exe
Analysis ID:387728
MD5:e4f3fd2e517743504817b7c3e2032de3
SHA1:b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
SHA256:08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
Tags:exeFormbookInvoice
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • payment advice_mt103645367.exe (PID: 6236 cmdline: 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: E4F3FD2E517743504817B7C3E2032DE3)
    • payment advice_mt103645367.exe (PID: 2440 cmdline: 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: E4F3FD2E517743504817B7C3E2032DE3)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 244 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 4856 cmdline: /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.healthpro.info/hwad/"], "decoy": ["atracion.digital", "abiraron.com", "pamelaklein.com", "ailingboli.com", "stclandhome.com", "lowcarbindulgence.com", "comedytournaments.com", "hervis.academy", "votestevecody.com", "medsdiscount.cloud", "pagenstechers.com", "itagamescraft.net", "321duang.com", "digitalmarketingjobsworld.com", "spsxhstar.com", "yhnbgtr.com", "018fee1.com", "weixiang168.com", "modernlifestylejournal.com", "nathapatilgroup.com", "crevelli.com", "dimeoohnique.com", "wikihighlight.com", "yetisotomotiv.com", "nobleclothingstore.com", "927703.com", "2251ferndell.com", "trackgram.net", "bbsunglasses.com", "sk202.com", "shqundu.com", "andersonandassociatesfirm.world", "edmcpng.com", "luxxebloomy.net", "229215.com", "royalbranchhomes.com", "xinjizf.com", "distributecourt.com", "peacefulprotests.website", "sumernight.com", "mybosscoffee.com", "kuppers.info", "presentfocus.life", "fxbplus.com", "todayshomily.com", "craicing.com", "condomon.com", "stopreflujo.com", "truebanditclothing.com", "miaosenmy.com", "aco-tabi.com", "jinling.love", "jobjiihnn.club", "shopzoning.com", "corridordaily.com", "revistaentropica.com", "bajavinofest.com", "wurmo.com", "reviewsbeforebuying.com", "bodi-massazh-dlya-muzhchin.site", "keystonenation.com", "odpuertorico.com", "consciouscommune.com", "omr-omr.com"]}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x54b8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 11 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP"}
      Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.healthpro.info/hwad/"], "decoy": ["atracion.digital", "abiraron.com", "pamelaklein.com", "ailingboli.com", "stclandhome.com", "lowcarbindulgence.com", "comedytournaments.com", "hervis.academy", "votestevecody.com", "medsdiscount.cloud", "pagenstechers.com", "itagamescraft.net", "321duang.com", "digitalmarketingjobsworld.com", "spsxhstar.com", "yhnbgtr.com", "018fee1.com", "weixiang168.com", "modernlifestylejournal.com", "nathapatilgroup.com", "crevelli.com", "dimeoohnique.com", "wikihighlight.com", "yetisotomotiv.com", "nobleclothingstore.com", "927703.com", "2251ferndell.com", "trackgram.net", "bbsunglasses.com", "sk202.com", "shqundu.com", "andersonandassociatesfirm.world", "edmcpng.com", "luxxebloomy.net", "229215.com", "royalbranchhomes.com", "xinjizf.com", "distributecourt.com", "peacefulprotests.website", "sumernight.com", "mybosscoffee.com", "kuppers.info", "presentfocus.life", "fxbplus.com", "todayshomily.com", "craicing.com", "condomon.com", "stopreflujo.com", "truebanditclothing.com", "miaosenmy.com", "aco-tabi.com", "jinling.love", "jobjiihnn.club", "shopzoning.com", "corridordaily.com", "revistaentropica.com", "bajavinofest.com", "wurmo.com", "reviewsbeforebuying.com", "bodi-massazh-dlya-muzhchin.site", "keystonenation.com", "odpuertorico.com", "consciouscommune.com", "omr-omr.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: payment advice_mt103645367.exeVirustotal: Detection: 30%Perma Link
      Source: payment advice_mt103645367.exeReversingLabs: Detection: 19%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: 19.2.ipconfig.exe.3b17960.4.unpackAvira: Label: TR/Dropper.Gen
      Source: 19.2.ipconfig.exe.31b0840.1.unpackAvira: Label: TR/Dropper.Gen
      Source: payment advice_mt103645367.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.3:49727 version: TLS 1.2
      Source: Binary string: ipconfig.pdb source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: ipconfig.pdbGCTL source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: payment advice_mt103645367.exe, 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp, ipconfig.exe, 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: payment advice_mt103645367.exe, ipconfig.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.healthpro.info/hwad/
      Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: doc-0g-3k-docs.googleusercontent.com
      Source: explorer.exe, 00000010.00000000.474274647.000000000F5E6000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmpString found in binary or memory: http://crl.mY
      Source: explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: payment advice_mt103645367.exe, 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP
      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
      Source: unknownHTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.3:49727 version: TLS 1.2
      Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: payment advice_mt103645367.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: payment advice_mt103645367.exe
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,10_2_1E3E9A20
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,10_2_1E3E9A00
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_1E3E9660
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,10_2_1E3E9A50
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_1E3E96E0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,10_2_1E3E9710
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_1E3E97A0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,10_2_1E3E9780
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk,10_2_1E3E9FE0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_1E3E9860
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,10_2_1E3E9840
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_1E3E98F0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_1E3E9910
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9540 NtReadFile,LdrInitializeThunk,10_2_1E3E9540
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,10_2_1E3E99A0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E95D0 NtClose,LdrInitializeThunk,10_2_1E3E95D0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9610 NtEnumerateValueKey,10_2_1E3E9610
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9A10 NtQuerySection,10_2_1E3E9A10
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9670 NtQueryInformationProcess,10_2_1E3E9670
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9650 NtQueryValueKey,10_2_1E3E9650
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9A80 NtOpenDirectoryObject,10_2_1E3E9A80
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E96D0 NtCreateKey,10_2_1E3E96D0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9730 NtQueryVirtualMemory,10_2_1E3E9730
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3EA710 NtOpenProcessToken,10_2_1E3EA710
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9B00 NtSetValueKey,10_2_1E3E9B00
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9770 NtSetInformationFile,10_2_1E3E9770
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3EA770 NtOpenThread,10_2_1E3EA770
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9760 NtOpenProcess,10_2_1E3E9760
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3EA3B0 NtGetContextThread,10_2_1E3EA3B0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9820 NtEnumerateKey,10_2_1E3E9820
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3EB040 NtSuspendThread,10_2_1E3EB040
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E98A0 NtWriteVirtualMemory,10_2_1E3E98A0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3EAD30 NtSetContextThread,10_2_1E3EAD30
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9520 NtWaitForSingleObject,10_2_1E3E9520
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9560 NtWriteFile,10_2_1E3E9560
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E9950 NtQueueApcThread,10_2_1E3E9950
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E95F0 NtQueryInformationFile,10_2_1E3E95F0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3E99D0 NtCreateProcessEx,10_2_1E3E99D0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_00568170 NtProtectVirtualMemory,10_2_00568170
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649A50 NtCreateFile,LdrInitializeThunk,19_2_03649A50
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_03649910
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649860 NtQuerySystemInformation,LdrInitializeThunk,19_2_03649860
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649FE0 NtCreateMutant,LdrInitializeThunk,19_2_03649FE0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036496E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_036496E0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649540 NtReadFile,LdrInitializeThunk,19_2_03649540
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036495D0 NtClose,LdrInitializeThunk,19_2_036495D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649B00 NtSetValueKey,19_2_03649B00
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0364A3B0 NtGetContextThread,19_2_0364A3B0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649A20 NtResumeThread,19_2_03649A20
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649A00 NtProtectVirtualMemory,19_2_03649A00
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649A10 NtQuerySection,19_2_03649A10
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649A80 NtOpenDirectoryObject,19_2_03649A80
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649950 NtQueueApcThread,19_2_03649950
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036499D0 NtCreateProcessEx,19_2_036499D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036499A0 NtCreateSection,19_2_036499A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649840 NtDelayExecution,19_2_03649840
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0364B040 NtSuspendThread,19_2_0364B040
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649820 NtEnumerateKey,19_2_03649820
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036498F0 NtReadVirtualMemory,19_2_036498F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036498A0 NtWriteVirtualMemory,19_2_036498A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649760 NtOpenProcess,19_2_03649760
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0364A770 NtOpenThread,19_2_0364A770
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649770 NtSetInformationFile,19_2_03649770
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649730 NtQueryVirtualMemory,19_2_03649730
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649710 NtQueryInformationToken,19_2_03649710
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0364A710 NtOpenProcessToken,19_2_0364A710
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036497A0 NtUnmapViewOfSection,19_2_036497A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649780 NtMapViewOfSection,19_2_03649780
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649660 NtAllocateVirtualMemory,19_2_03649660
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649670 NtQueryInformationProcess,19_2_03649670
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649650 NtQueryValueKey,19_2_03649650
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649610 NtEnumerateValueKey,19_2_03649610
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036496D0 NtCreateKey,19_2_036496D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649560 NtWriteFile,19_2_03649560
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03649520 NtWaitForSingleObject,19_2_03649520
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0364AD30 NtSetContextThread,19_2_0364AD30
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036495F0 NtQueryInformationFile,19_2_036495F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DE82E0 NtClose,19_2_02DE82E0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DE8260 NtReadFile,19_2_02DE8260
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DE81B0 NtCreateFile,19_2_02DE81B0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DE82DC NtClose,19_2_02DE82DC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DE825A NtReadFile,19_2_02DE825A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DE81AA NtCreateFile,19_2_02DE81AA
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3C6E3010_2_1E3C6E30
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E472EF710_2_1E472EF7
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E4722AE10_2_1E4722AE
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E472B2810_2_1E472B28
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3DEBB010_2_1E3DEBB0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E471FF110_2_1E471FF1
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3B841F10_2_1E3B841F
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E46100210_2_1E461002
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3D20A010_2_1E3D20A0
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3BB09010_2_1E3BB090
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E4720A810_2_1E4720A8
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E471D5510_2_1E471D55
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3A0D2010_2_1E3A0D20
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3C412010_2_1E3C4120
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3AF90010_2_1E3AF900
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E472D0710_2_1E472D07
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3D258110_2_1E3D2581
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3BD5E010_2_1E3BD5E0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362AB4019_2_0362AB40
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036ACB4F19_2_036ACB4F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D2B2819_2_036D2B28
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362A30919_2_0362A309
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C231B19_2_036C231B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036B23E319_2_036B23E3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03658BE819_2_03658BE8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C03DA19_2_036C03DA
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0363ABD819_2_0363ABD8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036CDBD219_2_036CDBD2
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0363EBB019_2_0363EBB0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036AEB8A19_2_036AEB8A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0363138B19_2_0363138B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362EB9A19_2_0362EB9A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036BFA2B19_2_036BFA2B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362B23619_2_0362B236
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C4AEF19_2_036C4AEF
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036CE2C519_2_036CE2C5
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D22AE19_2_036D22AE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D32A919_2_036D32A9
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362412019_2_03624120
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0360F90019_2_0360F900
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036299BF19_2_036299BF
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036DE82419_2_036DE824
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362A83019_2_0362A830
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0360680019_2_03606800
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C100219_2_036C1002
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D28EC19_2_036D28EC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036320A019_2_036320A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D20A819_2_036D20A8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0361B09019_2_0361B090
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C67E219_2_036C67E2
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D1FF119_2_036D1FF1
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036DDFCE19_2_036DDFCE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03626E3019_2_03626E30
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362560019_2_03625600
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036CD61619_2_036CD616
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D2EF719_2_036D2EF7
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036B1EB619_2_036B1EB6
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D1D5519_2_036D1D55
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_03600D2019_2_03600D20
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D2D0719_2_036D2D07
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0361D5E019_2_0361D5E0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036D25DD19_2_036D25DD
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036365A019_2_036365A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0363258119_2_03632581
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C2D8219_2_036C2D82
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036CD46619_2_036CD466
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0362B47719_2_0362B477
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0361841F19_2_0361841F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_036C449619_2_036C4496
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEBA4319_2_02DEBA43
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DD2FB019_2_02DD2FB0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEBFA719_2_02DEBFA7
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEB75519_2_02DEB755
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEBCD019_2_02DEBCD0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DD8C5019_2_02DD8C50
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DD8C4B19_2_02DD8C4B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DD2D9019_2_02DD2D90
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 03695720 appears 38 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0365D08C appears 39 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0360B150 appears 154 times
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: String function: 1E3AB150 appears 35 times
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: String function: 0040172E appears 35 times
      Source: payment advice_mt103645367.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameillusive.exeFE2X vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameillusive.exeFE2X7q vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameillusive.exeFE2X~p vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameillusive.exeFE2XRu vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameillusive.exeFE2X$t vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 00000000.00000002.375025108.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 0000000A.00000002.490528036.000000001DC60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 0000000A.00000002.490581294.000000001DDB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 0000000A.00000002.492644478.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 0000000A.00000000.373609554.000000000042A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exe, 0000000A.00000002.486757216.00000000000B7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exeBinary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
      Source: payment advice_mt103645367.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@6/0@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01
      Source: payment advice_mt103645367.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: payment advice_mt103645367.exeVirustotal: Detection: 30%
      Source: payment advice_mt103645367.exeReversingLabs: Detection: 19%
      Source: unknownProcess created: C:\Users\user\Desktop\payment advice_mt103645367.exe 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess created: C:\Users\user\Desktop\payment advice_mt103645367.exe 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'Jump to behavior
      Source: Binary string: ipconfig.pdb source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: ipconfig.pdbGCTL source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: payment advice_mt103645367.exe, 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp, ipconfig.exe, 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: payment advice_mt103645367.exe, ipconfig.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040B858 push ebx; iretw 0_2_0040B86A
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040A66C push ebx; retf 0_2_0040A67E
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_00409E24 push ebx; retf 0_2_00409E26
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040AACF push ebx; retf 0_2_0040AAD2
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_00408880 push ebx; retf 0_2_00408882
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040A68B push ebx; retf 0_2_0040A67E
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040A68B push ebx; retf 0_2_0040A69A
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_004096B8 push ecx; iretd 0_2_004096C6
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_00408B76 push ebx; retf 0_2_00408C42
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_004083C0 push ebx; retf 0_2_004083C6
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040B7C7 push ebx; retf 0_2_0040B7CA
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040B78A push FFFFFFA7h; retf 0_2_0040B79F
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_0040A190 push edx; iretd 0_2_0040A19E
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 0_2_004083BB push ebx; retf 0_2_004083BE
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_1E3FD0D1 push ecx; ret 10_2_1E3FD0E4
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_00568ED4 push edx; retf 10_2_00568ED3
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeCode function: 10_2_00568EC5 push edx; retf 10_2_00568ED3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0365D0D1 push ecx; ret 19_2_0365D0E4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEB3FB push eax; ret 19_2_02DEB462
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEB3F2 push eax; ret 19_2_02DEB3F8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEB3A5 push eax; ret 19_2_02DEB3F8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEC7A4 push dword ptr [2E33947Ah]; ret 19_2_02DEC7A3
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEB45C push eax; ret 19_2_02DEB462
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02DEC547 push dword ptr [2E33947Ah]; ret 19_2_02DEC7A3

      Persistence and Installation Behavior:

      barindex
      Uses ipconfig to lookup or modify the Windows network settingsShow sources
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\payment advice_mt103645367.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users