Loading ...

Play interactive tourEdit tour

Analysis Report w73FtMA4ZTl9NFm.exe

Overview

General Information

Sample Name:w73FtMA4ZTl9NFm.exe
Analysis ID:403703
MD5:ff44bfe6955f4d11f915b4a0b818fc7c
SHA1:3e094caff011346ad02aeafcb5769a519cf10dc0
SHA256:929fd55e632471f4f35295e574c6814a3de9662398b7a606e352ecba9c52de7e
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CMSTP Execution Process Creation
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • w73FtMA4ZTl9NFm.exe (PID: 3764 cmdline: 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe' MD5: FF44BFE6955F4D11F915B4A0B818FC7C)
    • w73FtMA4ZTl9NFm.exe (PID: 1168 cmdline: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe MD5: FF44BFE6955F4D11F915B4A0B818FC7C)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 6400 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6804 cmdline: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.naiping8.com/blm/"], "decoy": ["basilaws.com", "laesses.com", "isematsudai.com", "cafperfect.com", "listocalistoanimation.com", "bikesofthefuture.com", "sweette.com", "instagramhelpsnow.com", "wuxians.com", "canadianpayday.loans", "tiklaulan.xyz", "marketingbuddhi.com", "centrocaninopochs.com", "doodletrends.com", "praiship.com", "alghuta.com", "kompramania.com", "thenewdawncompany.com", "shopthegoodbar.com", "emergencyuavsolutions.com", "mayratienecasas.com", "gitaffiliate.com", "jdanielfit.com", "raisingarrowsbirthservices.com", "shirleyvansteenis.com", "jrlsports.com", "untiedpockets.com", "dingdongpaw.com", "skytrustconstruction.com", "shainamgmtsolns.com", "findinkjams.com", "erisedu.com", "marikell.com", "nelivo.com", "nyatigroupera.net", "herbyvet.com", "satviksumi.com", "earthnetic.com", "coronamimos.com", "neurologistaandreialamberti.com", "tom-kiesel.com", "creativegrowthllc.com", "unitrackerindo.com", "bgetaway.com", "humanmarijuana.com", "somuch2dohere.com", "gpt4every.com", "hunandanei.com", "honu360vr.com", "abn-co-host-listing-46731.xyz", "sitewebinfo.com", "iqiongtian.com", "evolvecommpr.com", "4980061061670012.xyz", "checkoutmyimages.com", "shifamedico.com", "tonygwynnclassic.com", "shopalndrinks.com", "nawabebiryanis.com", "productionlads.com", "zhjuku.com", "hbchuangjie.com", "fleurdelyshospitality.net", "tiffanybluandyou.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x183f9:$sqlite3step: 68 34 1C 7B E1
      • 0x1850c:$sqlite3step: 68 34 1C 7B E1
      • 0x18428:$sqlite3text: 68 38 2A 90 C5
      • 0x1854d:$sqlite3text: 68 38 2A 90 C5
      • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
      00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x183f9:$sqlite3step: 68 34 1C 7B E1
          • 0x1850c:$sqlite3step: 68 34 1C 7B E1
          • 0x18428:$sqlite3text: 68 38 2A 90 C5
          • 0x1854d:$sqlite3text: 68 38 2A 90 C5
          • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
          3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 4 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: CMSTP Execution Process CreationShow sources
            Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe', CommandLine: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 6400, ProcessCommandLine: /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe', ProcessId: 6804
            Sigma detected: System File Execution Location AnomalyShow sources
            Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe, ParentImage: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe, ParentProcessId: 1168, ProcessCommandLine: , ProcessId: 3292

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.naiping8.com/blm/"], "decoy": ["basilaws.com", "laesses.com", "isematsudai.com", "cafperfect.com", "listocalistoanimation.com", "bikesofthefuture.com", "sweette.com", "instagramhelpsnow.com", "wuxians.com", "canadianpayday.loans", "tiklaulan.xyz", "marketingbuddhi.com", "centrocaninopochs.com", "doodletrends.com", "praiship.com", "alghuta.com", "kompramania.com", "thenewdawncompany.com", "shopthegoodbar.com", "emergencyuavsolutions.com", "mayratienecasas.com", "gitaffiliate.com", "jdanielfit.com", "raisingarrowsbirthservices.com", "shirleyvansteenis.com", "jrlsports.com", "untiedpockets.com", "dingdongpaw.com", "skytrustconstruction.com", "shainamgmtsolns.com", "findinkjams.com", "erisedu.com", "marikell.com", "nelivo.com", "nyatigroupera.net", "herbyvet.com", "satviksumi.com", "earthnetic.com", "coronamimos.com", "neurologistaandreialamberti.com", "tom-kiesel.com", "creativegrowthllc.com", "unitrackerindo.com", "bgetaway.com", "humanmarijuana.com", "somuch2dohere.com", "gpt4every.com", "hunandanei.com", "honu360vr.com", "abn-co-host-listing-46731.xyz", "sitewebinfo.com", "iqiongtian.com", "evolvecommpr.com", "4980061061670012.xyz", "checkoutmyimages.com", "shifamedico.com", "tonygwynnclassic.com", "shopalndrinks.com", "nawabebiryanis.com", "productionlads.com", "zhjuku.com", "hbchuangjie.com", "fleurdelyshospitality.net", "tiffanybluandyou.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: w73FtMA4ZTl9NFm.exeVirustotal: Detection: 30%Perma Link
            Source: w73FtMA4ZTl9NFm.exeReversingLabs: Detection: 44%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cmstp.pdbGCTL source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe
            Source: Binary string: cmstp.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0C1482B8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0C1482B3
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0C149390
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0C149381
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0C1483E4
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 4x nop then pop edi3_2_00416C8C
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi7_2_00696C8C

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 64.190.62.111:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.naiping8.com/blm/
            Source: global trafficHTTP traffic detected: GET /blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH HTTP/1.1Host: www.kompramania.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 198.54.117.212 198.54.117.212
            Source: global trafficHTTP traffic detected: GET /blm/?v4=jT8U/4hmrcCGqX5zF6RLU3xaP16cys1ENKtgh6K33uf7HOVcxmeLoGjIinA45QceqzYG68+/fQ==&Jr=V48DzvNH HTTP/1.1Host: www.kompramania.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: clientconfig.passport.net
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246739537.00000000035E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000004.00000002.524154545.000000000686B000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000004.00000000.273388451.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: w73FtMA4ZTl9NFm.exeString found in binary or memory: https://github.com/unguest
            Source: w73FtMA4ZTl9NFm.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419D50 NtCreateFile,3_2_00419D50
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419E00 NtReadFile,3_2_00419E00
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419E80 NtClose,3_2_00419E80
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419F30 NtAllocateVirtualMemory,3_2_00419F30
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419D4A NtCreateFile,3_2_00419D4A
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419DFA NtReadFile,3_2_00419DFA
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419E7A NtClose,3_2_00419E7A
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00419F2A NtAllocateVirtualMemory,3_2_00419F2A
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04639860
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639840 NtDelayExecution,LdrInitializeThunk,7_2_04639840
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639540 NtReadFile,LdrInitializeThunk,7_2_04639540
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04639910
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046395D0 NtClose,LdrInitializeThunk,7_2_046395D0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046399A0 NtCreateSection,LdrInitializeThunk,7_2_046399A0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04639660
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639A50 NtCreateFile,LdrInitializeThunk,7_2_04639A50
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639650 NtQueryValueKey,LdrInitializeThunk,7_2_04639650
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046396E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046396E0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046396D0 NtCreateKey,LdrInitializeThunk,7_2_046396D0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639710 NtQueryInformationToken,LdrInitializeThunk,7_2_04639710
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639FE0 NtCreateMutant,LdrInitializeThunk,7_2_04639FE0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639780 NtMapViewOfSection,LdrInitializeThunk,7_2_04639780
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0463B040 NtSuspendThread,7_2_0463B040
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639820 NtEnumerateKey,7_2_04639820
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046398F0 NtReadVirtualMemory,7_2_046398F0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046398A0 NtWriteVirtualMemory,7_2_046398A0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639560 NtWriteFile,7_2_04639560
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639950 NtQueueApcThread,7_2_04639950
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639520 NtWaitForSingleObject,7_2_04639520
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0463AD30 NtSetContextThread,7_2_0463AD30
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046395F0 NtQueryInformationFile,7_2_046395F0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046399D0 NtCreateProcessEx,7_2_046399D0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639670 NtQueryInformationProcess,7_2_04639670
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639A20 NtResumeThread,7_2_04639A20
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639A00 NtProtectVirtualMemory,7_2_04639A00
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639610 NtEnumerateValueKey,7_2_04639610
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639A10 NtQuerySection,7_2_04639A10
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639A80 NtOpenDirectoryObject,7_2_04639A80
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639760 NtOpenProcess,7_2_04639760
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639770 NtSetInformationFile,7_2_04639770
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0463A770 NtOpenThread,7_2_0463A770
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639730 NtQueryVirtualMemory,7_2_04639730
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04639B00 NtSetValueKey,7_2_04639B00
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0463A710 NtOpenProcessToken,7_2_0463A710
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046397A0 NtUnmapViewOfSection,7_2_046397A0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0463A3B0 NtGetContextThread,7_2_0463A3B0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699D50 NtCreateFile,7_2_00699D50
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699E00 NtReadFile,7_2_00699E00
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699E80 NtClose,7_2_00699E80
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699F30 NtAllocateVirtualMemory,7_2_00699F30
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699D4A NtCreateFile,7_2_00699D4A
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699DFA NtReadFile,7_2_00699DFA
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699E7A NtClose,7_2_00699E7A
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00699F2A NtAllocateVirtualMemory,7_2_00699F2A
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_033BC3A01_2_033BC3A0
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_033BA7581_2_033BA758
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1464841_2_0C146484
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C141CC81_2_0C141CC8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1417F81_2_0C1417F8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C148B301_2_0C148B30
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C141CB71_2_0C141CB7
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1465031_2_0C146503
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C145EB31_2_0C145EB3
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C145EB81_2_0C145EB8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C140F101_2_0C140F10
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C140F091_2_0C140F09
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C141FB01_2_0C141FB0
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C141FAD1_2_0C141FAD
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1417E81_2_0C1417E8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1438231_2_0C143823
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1408D31_2_0C1408D3
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1409081_2_0C140908
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1432051_2_0C143205
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1432081_2_0C143208
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1462B01_2_0C1462B0
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_0C1462AD1_2_0C1462AD
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_004010303_2_00401030
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041DB463_2_0041DB46
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041D3573_2_0041D357
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041D5DD3_2_0041D5DD
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00409DEB3_2_00409DEB
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00402D903_2_00402D90
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041DE053_2_0041DE05
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00409E303_2_00409E30
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041DE9C3_2_0041DE9C
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041D7013_2_0041D701
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041DFE33_2_0041DFE3
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00402FB03_2_00402FB0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046B10027_2_046B1002
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0460841F7_2_0460841F
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C28EC7_2_046C28EC
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046220A07_2_046220A0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C20A87_2_046C20A8
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0460B0907_2_0460B090
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C1D557_2_046C1D55
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046141207_2_04614120
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_045FF9007_2_045FF900
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C2D077_2_046C2D07
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_045F0D207_2_045F0D20
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0460D5E07_2_0460D5E0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C25DD7_2_046C25DD
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046225817_2_04622581
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_04616E307_2_04616E30
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C2EF77_2_046C2EF7
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C22AE7_2_046C22AE
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C2B287_2_046C2B28
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046C1FF17_2_046C1FF1
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_046BDBD27_2_046BDBD2
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0462EBB07_2_0462EBB0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069DB467_2_0069DB46
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00689DEB7_2_00689DEB
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069D5D77_2_0069D5D7
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00682D907_2_00682D90
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00689E307_2_00689E30
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069DE057_2_0069DE05
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069DE9C7_2_0069DE9C
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069D7027_2_0069D702
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069DFE37_2_0069DFE3
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00682FB07_2_00682FB0
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 045FB150 appears 35 times
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: w73FtMA4ZTl9NFm.exeBinary or memory string: OriginalFilename vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000003.241311005.0000000004753000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exeBinary or memory string: OriginalFilename vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exeBinary or memory string: OriginalFilenameImporterCallback.exe6 vs w73FtMA4ZTl9NFm.exe
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
            Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.287250589.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.288102436.00000000018D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.508139744.0000000004460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.287644899.0000000001550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.502602967.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.247215566.00000000045E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.505004698.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.w73FtMA4ZTl9NFm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.w73FtMA4ZTl9NFm.exe.46875f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/1
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\w73FtMA4ZTl9NFm.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_01
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
            Source: w73FtMA4ZTl9NFm.exe, 00000001.00000002.246792230.0000000003635000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
            Source: w73FtMA4ZTl9NFm.exeVirustotal: Detection: 30%
            Source: w73FtMA4ZTl9NFm.exeReversingLabs: Detection: 44%
            Source: unknownProcess created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeProcess created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
            Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeProcess created: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exe'Jump to behavior
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: w73FtMA4ZTl9NFm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: cmstp.pdbGCTL source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe, 00000007.00000002.508499448.00000000045D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.287846325.00000000016BF000.00000040.00000001.sdmp, cmstp.exe
            Source: Binary string: cmstp.pdb source: w73FtMA4ZTl9NFm.exe, 00000003.00000002.288143631.0000000001910000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_00FD94E5 push cs; iretd 1_2_00FD94E6
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 1_2_00FD9485 push cs; ret 1_2_00FD9492
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00404A36 push edi; iretd 3_2_00404A38
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00417296 push ebx; iretd 3_2_0041729B
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00409BAC push es; ret 3_2_00409BAD
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041CEF2 push eax; ret 3_2_0041CEF8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041CEFB push eax; ret 3_2_0041CF62
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041CEA5 push eax; ret 3_2_0041CEF8
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_0041CF5C push eax; ret 3_2_0041CF62
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00B09485 push cs; ret 3_2_00B09492
            Source: C:\Users\user\Desktop\w73FtMA4ZTl9NFm.exeCode function: 3_2_00B094E5 push cs; iretd 3_2_00B094E6
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0464D0D1 push ecx; ret 7_2_0464D0E4
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00684A36 push edi; iretd 7_2_00684A38
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00697296 push ebx; iretd 7_2_0069729B
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069D3F6 pushad ; ret 7_2_0069D3F7
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_00689BAC push es; ret 7_2_00689BAD
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069D51B pushfd ; retf 7_2_0069D51C
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069CEFB push eax; ret 7_2_0069CF62
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069CEF2 push eax; ret 7_2_0069CEF8
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069CEA5 push eax; ret 7_2_0069CEF8
            Source: C:\Windows\SysWOW64\cmstp.exeCode function: 7_2_0069CF5C push eax; ret 7_2_0069CF62
            Source: initial sampleStatic PE information: section name: .text entropy: 7.93272076919

            Hooking and other Techniques for Hiding and Protection:

            bar