Loading ...

Play interactive tourEdit tour

Analysis Report Invoiceo.exe

Overview

General Information

Sample Name:Invoiceo.exe
Analysis ID:402845
MD5:8f2489d7ce50e99109af9925818daf2b
SHA1:5481d53e59fda1e0d849b677e15b410ba6f64fbc
SHA256:0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Invoiceo.exe (PID: 6316 cmdline: 'C:\Users\user\Desktop\Invoiceo.exe' MD5: 8F2489D7CE50E99109AF9925818DAF2B)
    • powershell.exe (PID: 6584 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Invoiceo.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6660 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6716 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6856 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\yYxmxiApi.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Invoiceo.exe (PID: 6872 cmdline: C:\Users\user\Desktop\Invoiceo.exe MD5: 8F2489D7CE50E99109AF9925818DAF2B)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 5112 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 4604 cmdline: /c del 'C:\Users\user\Desktop\Invoiceo.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.swim-maki.com/csi/"], "decoy": ["crazyonlineboutique.com", "nelivo.com", "chibimama-blog.com", "teachersofnyc.com", "rare-snare.com", "sunriseatlennox.com", "innovate-nation.com", "mahowebcam.com", "foodbyroyalbites.com", "nkm580.com", "premiumplanterboxes.com", "uspaypausa.com", "wto2b.com", "evoocb.com", "missilenttech.com", "adtlive.com", "guapeco.com", "keepfaithful.com", "djayhoward.com", "cora-designstj.com", "furrybasics.com", "tabuk24.com", "bioshope.online", "naturaldesiproducts.com", "ardreykellbaseball.com", "irisettlement.com", "bahama-id.com", "lastweektonight.watch", "professor-ux.com", "lifecompetitions.net", "axislnsmail.com", "dohannor.com", "powertuningfiles.com", "analistaweb.net", "baascompanies.com", "gengkakmona.com", "salonandspaexperts.com", "mynet.ltd", "lionandivy.com", "shopalam.com", "ana9aty.net", "sandostore.com", "theasigosysteminfo.com", "academiadoaprender.com", "akvirtualtours.com", "hecoldwithit.com", "stopsiba.com", "credit780.com", "ss01center.com", "wristaidmd.com", "s2nps.co.uk", "kontrey.com", "cheesecakedactory.com", "bnytechnologies.com", "enhancinggrowth.com", "gorgeus-girl-full-service.today", "bermudesfcrasettlement.com", "beste-gruppe.com", "lfntv.com", "coronarestschuldbefreiung.info", "positivechampions.com", "roadsigntoday.club", "oxytocin.online", "bupamwhub.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1dad88:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1daff2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x2073a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x207612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1e6b15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x213135:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x1e6601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x212c21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1e6c17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x213237:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1e6d8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x2133af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x1dba0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x20802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1e587c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x211e9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1dc703:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x208d23:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ec7b7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x218dd7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ed7ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1e9899:$sqlite3step: 68 34 1C 7B E1
    • 0x1e99ac:$sqlite3step: 68 34 1C 7B E1
    • 0x215eb9:$sqlite3step: 68 34 1C 7B E1
    • 0x215fcc:$sqlite3step: 68 34 1C 7B E1
    • 0x1e98c8:$sqlite3text: 68 38 2A 90 C5
    • 0x1e99ed:$sqlite3text: 68 38 2A 90 C5
    • 0x215ee8:$sqlite3text: 68 38 2A 90 C5
    • 0x21600d:$sqlite3text: 68 38 2A 90 C5
    • 0x1e98db:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1e9a03:$sqlite3blob: 68 53 D8 7F 8C
    • 0x215efb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x216023:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 11 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.Invoiceo.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        11.2.Invoiceo.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        11.2.Invoiceo.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        11.2.Invoiceo.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.Invoiceo.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 5 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Invoiceo.exe' , ParentImage: C:\Users\user\Desktop\Invoiceo.exe, ParentProcessId: 6316, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yYxmxiApi' /XML 'C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp', ProcessId: 6716

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.swim-maki.com/csi/"], "decoy": ["crazyonlineboutique.com", "nelivo.com", "chibimama-blog.com", "teachersofnyc.com", "rare-snare.com", "sunriseatlennox.com", "innovate-nation.com", "mahowebcam.com", "foodbyroyalbites.com", "nkm580.com", "premiumplanterboxes.com", "uspaypausa.com", "wto2b.com", "evoocb.com", "missilenttech.com", "adtlive.com", "guapeco.com", "keepfaithful.com", "djayhoward.com", "cora-designstj.com", "furrybasics.com", "tabuk24.com", "bioshope.online", "naturaldesiproducts.com", "ardreykellbaseball.com", "irisettlement.com", "bahama-id.com", "lastweektonight.watch", "professor-ux.com", "lifecompetitions.net", "axislnsmail.com", "dohannor.com", "powertuningfiles.com", "analistaweb.net", "baascompanies.com", "gengkakmona.com", "salonandspaexperts.com", "mynet.ltd", "lionandivy.com", "shopalam.com", "ana9aty.net", "sandostore.com", "theasigosysteminfo.com", "academiadoaprender.com", "akvirtualtours.com", "hecoldwithit.com", "stopsiba.com", "credit780.com", "ss01center.com", "wristaidmd.com", "s2nps.co.uk", "kontrey.com", "cheesecakedactory.com", "bnytechnologies.com", "enhancinggrowth.com", "gorgeus-girl-full-service.today", "bermudesfcrasettlement.com", "beste-gruppe.com", "lfntv.com", "coronarestschuldbefreiung.info", "positivechampions.com", "roadsigntoday.club", "oxytocin.online", "bupamwhub.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\yYxmxiApi.exeReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Invoiceo.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE
          Source: 11.2.Invoiceo.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Invoiceo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Invoiceo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmd.pdbUGP source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe, 0000001A.00000002.467560189.0000000000330000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe, 0000001A.00000002.478791724.000000000348F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: cmd.pdb source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmp, cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0034245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,26_2_0034245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003468BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,26_2_003468BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,26_2_0033B89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003385EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,26_2_003385EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003531DC FindFirstFileW,FindNextFileW,FindClose,26_2_003531DC
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 4x nop then pop ebx11_2_00407AFA
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 4x nop then pop edi11_2_00417D66

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 154.207.58.218:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.swim-maki.com/csi/
          Source: global trafficHTTP traffic detected: GET /csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh HTTP/1.1Host: www.tabuk24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
          Source: global trafficHTTP traffic detected: GET /csi/?TTgLKx=uFNDtp4H1nDLCVd&mR-ptRI=N6ynhade2rGTzfH7Obdga9j8h7xnVmduHv/FNLw2V1/oBiufSguui3vD99XwSD3G2mHh HTTP/1.1Host: www.tabuk24.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.tabuk24.com
          Source: explorer.exe, 0000000D.00000000.295505046.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000002.405129582.0000000004931000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.adtlive.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.adtlive.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.adtlive.com/csi/www.rare-snare.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.adtlive.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.analistaweb.net
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.analistaweb.net/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.analistaweb.net/csi/www.kontrey.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.analistaweb.netReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bahama-id.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bahama-id.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bahama-id.com/csi/www.uspaypausa.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bahama-id.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bermudesfcrasettlement.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bermudesfcrasettlement.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bermudesfcrasettlement.com/csi/www.salonandspaexperts.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bermudesfcrasettlement.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bioshope.online
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bioshope.online/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bioshope.online/csi/www.wristaidmd.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.bioshope.onlineReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.foodbyroyalbites.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.foodbyroyalbites.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.foodbyroyalbites.com/csi/www.bioshope.online
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.foodbyroyalbites.comReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kontrey.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kontrey.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kontrey.com/csi/www.bahama-id.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.kontrey.comReferer:
          Source: powershell.exe, 00000004.00000003.348127191.00000000090A2000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.naturaldesiproducts.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.naturaldesiproducts.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.naturaldesiproducts.com/csi/M
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.naturaldesiproducts.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nelivo.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nelivo.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nelivo.com/csi/www.adtlive.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.nelivo.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.rare-snare.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.rare-snare.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.rare-snare.com/csi/www.analistaweb.net
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.rare-snare.comReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.salonandspaexperts.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.salonandspaexperts.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.salonandspaexperts.com/csi/www.foodbyroyalbites.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.salonandspaexperts.comReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ss01center.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ss01center.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ss01center.com/csi/www.naturaldesiproducts.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.ss01center.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.swim-maki.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.swim-maki.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.swim-maki.com/csi/www.bermudesfcrasettlement.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.swim-maki.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tabuk24.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tabuk24.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tabuk24.com/csi/www.swim-maki.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.tabuk24.comReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.uspaypausa.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.uspaypausa.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.uspaypausa.com/csi/www.ss01center.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.uspaypausa.comReferer:
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.wristaidmd.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.wristaidmd.com/csi/
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.wristaidmd.com/csi/www.nelivo.com
          Source: explorer.exe, 0000000D.00000002.500356257.00000000056A1000.00000004.00000001.sdmpString found in binary or memory: http://www.wristaidmd.comReferer:
          Source: explorer.exe, 0000000D.00000000.279217207.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Invoiceo.exeString found in binary or memory: https://github.com/unguest
          Source: Invoiceo.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: powershell.exe, 00000004.00000003.320382870.0000000004F91000.00000004.00000001.sdmp, powershell.exe, 00000006.00000003.325533885.0000000005112000.00000004.00000001.sdmp, powershell.exe, 0000000A.00000003.333217488.00000000052FC000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Invoiceo.exe
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419D50 NtCreateFile,11_2_00419D50
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419E00 NtReadFile,11_2_00419E00
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419E80 NtClose,11_2_00419E80
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419F30 NtAllocateVirtualMemory,11_2_00419F30
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419D4C NtCreateFile,11_2_00419D4C
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419DFA NtReadFile,11_2_00419DFA
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419E7A NtClose,11_2_00419E7A
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00419F2A NtAllocateVirtualMemory,11_2_00419F2A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,26_2_0033B42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003384BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,26_2_003384BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003358A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,26_2_003358A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033B4F8 NtQueryInformationToken,NtQueryInformationToken,26_2_0033B4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033B4C0 NtQueryInformationToken,26_2_0033B4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00356D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,26_2_00356D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0035B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,26_2_0035B5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00359AB4 NtSetInformationFile,26_2_00359AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003383F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,26_2_003383F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9710 NtQueryInformationToken,LdrInitializeThunk,26_2_033D9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9780 NtMapViewOfSection,LdrInitializeThunk,26_2_033D9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9FE0 NtCreateMutant,LdrInitializeThunk,26_2_033D9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9A50 NtCreateFile,LdrInitializeThunk,26_2_033D9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D96E0 NtFreeVirtualMemory,LdrInitializeThunk,26_2_033D96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D96D0 NtCreateKey,LdrInitializeThunk,26_2_033D96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,26_2_033D9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9540 NtReadFile,LdrInitializeThunk,26_2_033D9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D99A0 NtCreateSection,LdrInitializeThunk,26_2_033D99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D95D0 NtClose,LdrInitializeThunk,26_2_033D95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9860 NtQuerySystemInformation,LdrInitializeThunk,26_2_033D9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9840 NtDelayExecution,LdrInitializeThunk,26_2_033D9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033CE730 NtQueryInformationProcess,26_2_033CE730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03399335 NtClose,NtClose,26_2_03399335
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9730 NtQueryVirtualMemory,26_2_033D9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03417365 NtQuerySystemInformation,26_2_03417365
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345FF69 NtQueryVirtualMemory,26_2_0345FF69
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033DA710 NtOpenProcessToken,26_2_033DA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0342176C NtWaitForSingleObject,NtClose,26_2_0342176C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9B00 NtSetValueKey,26_2_033D9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9770 NtSetInformationFile,26_2_033D9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033DA770 NtOpenThread,26_2_033DA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9760 NtOpenProcess,26_2_033D9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D7742 NtAllocateVirtualMemory,26_2_033D7742
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0339A7B0 NtClose,NtClose,26_2_0339A7B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033DA3B0 NtGetContextThread,26_2_033DA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345F7DD NtFreeVirtualMemory,26_2_0345F7DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345AFDE NtFreeVirtualMemory,26_2_0345AFDE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D97A0 NtUnmapViewOfSection,26_2_033D97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03446BEA NtQueryVirtualMemory,26_2_03446BEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033A8F87 NtProtectVirtualMemory,NtProtectVirtualMemory,26_2_033A8F87
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0341FB88 NtProtectVirtualMemory,26_2_0341FB88
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03465BA5 NtQueryInformationToken,26_2_03465BA5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0339F7C0 NtClose,26_2_0339F7C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421242 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose,26_2_03421242
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0339E620 NtClose,26_2_0339E620
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9A20 NtResumeThread,26_2_033D9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D2E1C NtDelayExecution,26_2_033D2E1C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03417E63 NtProtectVirtualMemory,26_2_03417E63
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9610 NtEnumerateValueKey,26_2_033D9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9A10 NtQuerySection,26_2_033D9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0339C600 NtQueryValueKey,NtQueryValueKey,26_2_0339C600
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9A00 NtProtectVirtualMemory,26_2_033D9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345F209 NtFreeVirtualMemory,NtFreeVirtualMemory,26_2_0345F209
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9670 NtQueryInformationProcess,26_2_033D9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9660 NtAllocateVirtualMemory,26_2_033D9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033CBE62 NtProtectVirtualMemory,26_2_033CBE62
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345EE22 NtFreeVirtualMemory,26_2_0345EE22
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9650 NtQueryValueKey,26_2_033D9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03399240 NtClose,NtClose,26_2_03399240
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421AD6 NtFreeVirtualMemory,26_2_03421AD6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033952A5 NtClose,NtClose,NtClose,NtClose,26_2_033952A5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03392E9F NtClose,26_2_03392E9F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033CD294 NtClose,26_2_033CD294
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9A80 NtOpenDirectoryObject,26_2_033D9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0344BE9B NtAllocateVirtualMemory,26_2_0344BE9B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03460EA5 NtQueryVirtualMemory,26_2_03460EA5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03413540 NtQueryValueKey,NtClose,26_2_03413540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033A9136 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,26_2_033A9136
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033DAD30 NtSetContextThread,26_2_033DAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033CC532 NtProtectVirtualMemory,26_2_033CC532
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03461D55 NtFreeVirtualMemory,26_2_03461D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033B4120 NtClose,26_2_033B4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9520 NtWaitForSingleObject,26_2_033D9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421570 NtQuerySystemInformation,NtClose,26_2_03421570
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9560 NtWriteFile,26_2_033D9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0344FD22 NtQueryInformationProcess,26_2_0344FD22
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9950 NtQueueApcThread,26_2_033D9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033C0548 NtQueryVirtualMemory,26_2_033C0548
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_034219C8 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,26_2_034219C8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03392D8A NtWaitForSingleObject,26_2_03392D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033ADD80 NtQueryVirtualMemory,26_2_033ADD80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0344BDFA NtAllocateVirtualMemory,26_2_0344BDFA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D95F0 NtQueryInformationFile,26_2_033D95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D99D0 NtCreateProcessEx,26_2_033D99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421C49 NtQueryInformationProcess,26_2_03421C49
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0342C450 NtAdjustPrivilegesToken,NtClose,NtClose,26_2_0342C450
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D9820 NtEnumerateKey,26_2_033D9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421C76 NtQueryInformationProcess,26_2_03421C76
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421879 NtAllocateVirtualMemory,26_2_03421879
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033B746D NtClose,26_2_033B746D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033DB040 NtSuspendThread,26_2_033DB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345F8C5 NtFreeVirtualMemory,26_2_0345F8C5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033CF0BF NtClose,NtClose,26_2_033CF0BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0342B8D0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose,26_2_0342B8D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D98A0 NtWriteVirtualMemory,26_2_033D98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0339DCA4 NtEnumerateKey,NtClose,NtClose,26_2_0339DCA4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03421CE4 NtQueryInformationProcess,26_2_03421CE4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03417CF9 NtQueryVirtualMemory,26_2_03417CF9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03413884 NtQueryValueKey,NtQueryValueKey,26_2_03413884
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033A80FC NtMapViewOfSection,NtUnmapViewOfSection,26_2_033A80FC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033D98F0 NtReadVirtualMemory,26_2_033D98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00346550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,26_2_00346550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0034374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,26_2_0034374E
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 0_2_025F94A80_2_025F94A8
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 0_2_025FC1480_2_025FC148
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 0_2_025FA7580_2_025FA758
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 0_2_025FF8380_2_025FF838
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C481C810_2_00C481C8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C4314810_2_00C43148
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C4EDA010_2_00C4EDA0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C41DA810_2_00C41DA8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C489A010_2_00C489A0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C481C810_2_00C481C8
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C49BA010_2_00C49BA0
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C4BD2010_2_00C4BD20
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C9384010_2_00C93840
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C9CA6010_2_00C9CA60
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00C98DD810_2_00C98DD8
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_0040103011_2_00401030
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_0040120811_2_00401208
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_0041DAF011_2_0041DAF0
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_0041D3F711_2_0041D3F7
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_0041DCDE11_2_0041DCDE
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00402D9011_2_00402D90
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00409E3011_2_00409E30
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_0041CF9611_2_0041CF96
          Source: C:\Users\user\Desktop\Invoiceo.exeCode function: 11_2_00402FB011_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033D80326_2_0033D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033E04026_2_0033E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00339CF026_2_00339CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003348E626_2_003348E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00355CEA26_2_00355CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0035350626_2_00353506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0034196926_2_00341969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0034655026_2_00346550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033719026_2_00337190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_003531DC26_2_003531DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033FA3026_2_0033FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033522626_2_00335226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00335E7026_2_00335E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00338AD726_2_00338AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033CB4826_2_0033CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00356FF026_2_00356FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_00345FC826_2_00345FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033CEBB026_2_033CEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033B6E3026_2_033B6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03461D5526_2_03461D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_03390D2026_2_03390D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033B412026_2_033B4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0339F90026_2_0339F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033A841F26_2_033A841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0345100226_2_03451002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_033AB09026_2_033AB090
          Source: Invoiceo.exe, 00000000.00000002.229009371.000000000B700000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Invoiceo.exe
          Source: Invoiceo.exe, 00000000.00000002.230389310.000000000B7F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Invoiceo.exe
          Source: Invoiceo.exe, 00000000.00000002.230389310.000000000B7F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Invoiceo.exe
          Source: Invoiceo.exe, 00000000.00000002.217060931.0000000002741000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Invoiceo.exe
          Source: Invoiceo.exe, 00000000.00000000.199355092.00000000003CE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
          Source: Invoiceo.exe, 00000000.00000003.204309078.00000000038B3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Invoiceo.exe
          Source: Invoiceo.exe, 0000000B.00000003.322550365.0000000000E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Invoiceo.exe
          Source: Invoiceo.exe, 0000000B.00000002.334267380.000000000123F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Invoiceo.exe
          Source: Invoiceo.exe, 0000000B.00000000.214276014.000000000069E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
          Source: Invoiceo.exeBinary or memory string: OriginalFilenameSynchronizedList.exe6 vs Invoiceo.exe
          Source: Invoiceo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220474872.0000000003749000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.324137848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000002.469448045.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.329186274.0000000000C40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001A.00000002.476129383.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.Invoiceo.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.Invoiceo.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Invoiceo.exe.37e7df0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Invoiceo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: yYxmxiApi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@19/19@3/1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0033C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,26_2_0033C5CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 26_2_0035A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,26_2_0035A0D2
          Source: C:\Users\user\Desktop\Invoiceo.exeFile created: C:\Users\user\AppData\Roaming\yYxmxiApi.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2152:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6732:120:WilError_01
          Source: C:\Users\user\Desktop\Invoiceo.exeMutant created: \Sessions\1\BaseNamedObjects\HHooNBuZKemHGrt
          Source: C:\Users\user\Desktop\Invoiceo.exeFile created: C:\Users\user\AppData\Local\Temp\tmpEE1D.tmp