Loading ...

Play interactive tourEdit tour

Analysis Report 202139769574 Shipping Documents.exe

Overview

General Information

Sample Name:202139769574 Shipping Documents.exe
Analysis ID:403523
MD5:eee5f618718bc8237bb9c7a48154cf1a
SHA1:84dc873f65dc9e86978944d1adddb762efcf2631
SHA256:cc7b066e0fa912d406c27790458ad6feb171b27275b6e3fe46b7a7574da7bfce
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 202139769574 Shipping Documents.exe (PID: 6728 cmdline: 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe' MD5: EEE5F618718BC8237BB9C7A48154CF1A)
    • 202139769574 Shipping Documents.exe (PID: 6808 cmdline: 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe' MD5: EEE5F618718BC8237BB9C7A48154CF1A)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 5892 cmdline: /c del 'C:\Users\user\Desktop\202139769574 Shipping Documents.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.magnumopuspro.com/nyr/"], "decoy": ["anemone-vintage.com", "ironcitytools.com", "joshandmatthew.com", "breathtakingscenery.photos", "karabakh-terror.com", "micahelgall.com", "entretiendesterrasses.com", "mhgholdings.com", "blewm.com", "sidewalknotary.com", "ytrs-elec.com", "danhpham.com", "ma21cle2henz.xyz", "lotusforlease.com", "shipleyphotoandfilm.com", "bulktool.xyz", "ouedzmala.com", "yichengvpr.com", "connectmygames.com", "chjcsc.com", "dope-chocolate.com", "tacowench.com", "projectsbay.com", "xn--pgboc92d.com", "royaldropofoil.com", "ranguanglian.club", "mobilne-kucice.com", "buytsycon.com", "goiasbets.net", "blpetroleum.com", "starrealms.net", "exclusiveflooringcollection.com", "kudalive.com", "tienda-sky.com", "drillinginsider.info", "theglasshousenyc.com", "vietnammoi.xyz", "walterbenicio.com", "zoomtvliveshows.xyz", "boujiehoodbaby.com", "yzyangyu.com", "exploreecetera.com", "sycord.com", "waykifood.com", "shadingconsultancy.com", "precedentai.net", "linhanhkitchen.com", "expekt24.com", "socialdating24.com", "lubvim.com", "floryi.com", "alerist.com", "maluss.com", "hitbbq.com", "alerrandrotattoo.com", "algoplayer.com", "idahooutsiders.com", "qygmuakhk.club", "neverpossible.com", "winparadigm.com", "toughdecorative.com", "yourbuildmedia.com", "summercrowd.com", "josemvazquez.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.magnumopuspro.com/nyr/"], "decoy": ["anemone-vintage.com", "ironcitytools.com", "joshandmatthew.com", "breathtakingscenery.photos", "karabakh-terror.com", "micahelgall.com", "entretiendesterrasses.com", "mhgholdings.com", "blewm.com", "sidewalknotary.com", "ytrs-elec.com", "danhpham.com", "ma21cle2henz.xyz", "lotusforlease.com", "shipleyphotoandfilm.com", "bulktool.xyz", "ouedzmala.com", "yichengvpr.com", "connectmygames.com", "chjcsc.com", "dope-chocolate.com", "tacowench.com", "projectsbay.com", "xn--pgboc92d.com", "royaldropofoil.com", "ranguanglian.club", "mobilne-kucice.com", "buytsycon.com", "goiasbets.net", "blpetroleum.com", "starrealms.net", "exclusiveflooringcollection.com", "kudalive.com", "tienda-sky.com", "drillinginsider.info", "theglasshousenyc.com", "vietnammoi.xyz", "walterbenicio.com", "zoomtvliveshows.xyz", "boujiehoodbaby.com", "yzyangyu.com", "exploreecetera.com", "sycord.com", "waykifood.com", "shadingconsultancy.com", "precedentai.net", "linhanhkitchen.com", "expekt24.com", "socialdating24.com", "lubvim.com", "floryi.com", "alerist.com", "maluss.com", "hitbbq.com", "alerrandrotattoo.com", "algoplayer.com", "idahooutsiders.com", "qygmuakhk.club", "neverpossible.com", "winparadigm.com", "toughdecorative.com", "yourbuildmedia.com", "summercrowd.com", "josemvazquez.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 202139769574 Shipping Documents.exeVirustotal: Detection: 33%Perma Link
          Source: 202139769574 Shipping Documents.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 202139769574 Shipping Documents.exeJoe Sandbox ML: detected
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 202139769574 Shipping Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 202139769574 Shipping Documents.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.671162738.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 202139769574 Shipping Documents.exe, 00000001.00000003.646868549.0000000003230000.00000004.00000001.sdmp, 202139769574 Shipping Documents.exe, 00000002.00000002.700767024.0000000000A90000.00000040.00000001.sdmp, mstsc.exe, 00000007.00000002.909918766.00000000047C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 202139769574 Shipping Documents.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: 202139769574 Shipping Documents.exe, 00000002.00000002.701928540.0000000002700000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: 202139769574 Shipping Documents.exe, 00000002.00000002.701928540.0000000002700000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.671162738.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_2_004059F0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040659C FindFirstFileA,FindClose,1_2_0040659C
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004027A1 FindFirstFileA,1_2_004027A1
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 4x nop then pop esi2_2_004172F1
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 4x nop then pop edi2_2_0040E429
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop esi7_2_004872F1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi7_2_0047E429

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.magnumopuspro.com/nyr/
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.maluss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.exclusiveflooringcollection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=MKniHD/KKNZ944A0QkseLq559MRPs5jQaAqVav9SZ3PAwf03LQBPNZ+ImXhjCplVxvzR&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.maluss.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nyr/?tVZl=EDKKYtZbbvwE4Q/e7xe/ld4gtfmRUWoVn+FtgOYbXYxqqFBCU6VSMnG1GKc/0KEvkVST&U4kp=NtxHhLZ8S6kT5jw HTTP/1.1Host: www.exclusiveflooringcollection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.magnumopuspro.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 202139769574 Shipping Documents.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 202139769574 Shipping Documents.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.909702700.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.684148917.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_0040548D

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: 202139769574 Shipping Documents.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: 202139769574 Shipping Documents.exe
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419D60 NtCreateFile,2_2_00419D60
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419E10 NtReadFile,2_2_00419E10
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419E90 NtClose,2_2_00419E90
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,2_2_00419F40
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00419D5A NtCreateFile,2_2_00419D5A
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00AF98F0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00AF9860
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9840 NtDelayExecution,LdrInitializeThunk,2_2_00AF9840
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF99A0 NtCreateSection,LdrInitializeThunk,2_2_00AF99A0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00AF9910
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A20 NtResumeThread,LdrInitializeThunk,2_2_00AF9A20
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00AF9A00
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A50 NtCreateFile,LdrInitializeThunk,2_2_00AF9A50
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF95D0 NtClose,LdrInitializeThunk,2_2_00AF95D0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9540 NtReadFile,LdrInitializeThunk,2_2_00AF9540
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00AF96E0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00AF9660
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00AF97A0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,2_2_00AF9780
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,2_2_00AF9710
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF98A0 NtWriteVirtualMemory,2_2_00AF98A0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9820 NtEnumerateKey,2_2_00AF9820
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFB040 NtSuspendThread,2_2_00AFB040
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF99D0 NtCreateProcessEx,2_2_00AF99D0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9950 NtQueueApcThread,2_2_00AF9950
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A80 NtOpenDirectoryObject,2_2_00AF9A80
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9A10 NtQuerySection,2_2_00AF9A10
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFA3B0 NtGetContextThread,2_2_00AFA3B0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9B00 NtSetValueKey,2_2_00AF9B00
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF95F0 NtQueryInformationFile,2_2_00AF95F0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9520 NtWaitForSingleObject,2_2_00AF9520
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFAD30 NtSetContextThread,2_2_00AFAD30
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9560 NtWriteFile,2_2_00AF9560
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF96D0 NtCreateKey,2_2_00AF96D0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9610 NtEnumerateValueKey,2_2_00AF9610
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9670 NtQueryInformationProcess,2_2_00AF9670
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9650 NtQueryValueKey,2_2_00AF9650
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9FE0 NtCreateMutant,2_2_00AF9FE0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9730 NtQueryVirtualMemory,2_2_00AF9730
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFA710 NtOpenProcessToken,2_2_00AFA710
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9760 NtOpenProcess,2_2_00AF9760
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AF9770 NtSetInformationFile,2_2_00AF9770
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AFA770 NtOpenThread,2_2_00AFA770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829840 NtDelayExecution,LdrInitializeThunk,7_2_04829840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04829860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048299A0 NtCreateSection,LdrInitializeThunk,7_2_048299A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048295D0 NtClose,LdrInitializeThunk,7_2_048295D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04829910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829540 NtReadFile,LdrInitializeThunk,7_2_04829540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048296D0 NtCreateKey,LdrInitializeThunk,7_2_048296D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048296E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_048296E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829650 NtQueryValueKey,LdrInitializeThunk,7_2_04829650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A50 NtCreateFile,LdrInitializeThunk,7_2_04829A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04829660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829780 NtMapViewOfSection,LdrInitializeThunk,7_2_04829780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829FE0 NtCreateMutant,LdrInitializeThunk,7_2_04829FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829710 NtQueryInformationToken,LdrInitializeThunk,7_2_04829710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048298A0 NtWriteVirtualMemory,7_2_048298A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048298F0 NtReadVirtualMemory,7_2_048298F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829820 NtEnumerateKey,7_2_04829820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482B040 NtSuspendThread,7_2_0482B040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048299D0 NtCreateProcessEx,7_2_048299D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048295F0 NtQueryInformationFile,7_2_048295F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829520 NtWaitForSingleObject,7_2_04829520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482AD30 NtSetContextThread,7_2_0482AD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829950 NtQueueApcThread,7_2_04829950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829560 NtWriteFile,7_2_04829560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A80 NtOpenDirectoryObject,7_2_04829A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A00 NtProtectVirtualMemory,7_2_04829A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829610 NtEnumerateValueKey,7_2_04829610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A10 NtQuerySection,7_2_04829A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829A20 NtResumeThread,7_2_04829A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829670 NtQueryInformationProcess,7_2_04829670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048297A0 NtUnmapViewOfSection,7_2_048297A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482A3B0 NtGetContextThread,7_2_0482A3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829B00 NtSetValueKey,7_2_04829B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482A710 NtOpenProcessToken,7_2_0482A710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829730 NtQueryVirtualMemory,7_2_04829730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829760 NtOpenProcess,7_2_04829760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04829770 NtSetInformationFile,7_2_04829770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0482A770 NtOpenThread,7_2_0482A770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489D60 NtCreateFile,7_2_00489D60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489E10 NtReadFile,7_2_00489E10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489E90 NtClose,7_2_00489E90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489F40 NtAllocateVirtualMemory,7_2_00489F40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00489D5A NtCreateFile,7_2_00489D5A
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_00403461
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_004069251_2_00406925
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041E8532_2_0041E853
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041D07C2_2_0041D07C
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041E00E2_2_0041E00E
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_0041EA8B2_2_0041EA8B
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00409E3C2_2_00409E3C
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE20A02_2_00AE20A0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B820A82_2_00B820A8
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACB0902_2_00ACB090
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B710022_2_00B71002
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD41202_2_00AD4120
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ABF9002_2_00ABF900
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B822AE2_2_00B822AE
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AEEBB02_2_00AEEBB0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B7DBD22_2_00B7DBD2
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B82B282_2_00B82B28
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AC841F2_2_00AC841F
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AE25812_2_00AE2581
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00ACD5E02_2_00ACD5E0
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B825DD2_2_00B825DD
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AB0D202_2_00AB0D20
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B82D072_2_00B82D07
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B81D552_2_00B81D55
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B82EF72_2_00B82EF7
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00AD6E302_2_00AD6E30
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 2_2_00B81FF12_2_00B81FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048120A07_2_048120A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B20A87_2_048B20A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047F841F7_2_047F841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048A10027_2_048A1002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FB0907_2_047FB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048125817_2_04812581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047E0D207_2_047E0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047EF9007_2_047EF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B2D077_2_048B2D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_047FD5E07_2_047FD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048041207_2_04804120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B1D557_2_048B1D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B22AE7_2_048B22AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B2EF77_2_048B2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_04806E307_2_04806E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0481EBB07_2_0481EBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B1FF17_2_048B1FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_048B2B287_2_048B2B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048D07C7_2_0048D07C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_0048E00E7_2_0048E00E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00472D877_2_00472D87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00472D907_2_00472D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00479E407_2_00479E40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00479E3C7_2_00479E3C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 7_2_00472FB07_2_00472FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 047EB150 appears 35 times
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: String function: 00ABB150 appears 35 times
          Source: 202139769574 Shipping Documents.exe, 00000001.00000003.646094416.000000000334F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 202139769574 Shipping Documents.exe
          Source: 202139769574 Shipping Documents.exe, 00000002.00000002.701116428.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 202139769574 Shipping Documents.exe
          Source: 202139769574 Shipping Documents.exe, 00000002.00000002.702183379.0000000002823000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs 202139769574 Shipping Documents.exe
          Source: 202139769574 Shipping Documents.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.699986623.0000000000620000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.657714825.0000000003070000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.698729438.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.700421859.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907951301.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907352431.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.650273193.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.907896289.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.202139769574 Shipping Documents.exe.3070000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.202139769574 Shipping Documents.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/2
          Source: C:\Users\user\Desktop\202139769574 Shipping Documents.exeCode function: 1_2_00403461 EntryPoint