Loading ...

Play interactive tourEdit tour

Analysis Report Ms5nQdSz5l.exe

Overview

General Information

Sample Name:Ms5nQdSz5l.exe
Analysis ID:404105
MD5:ba01df16e4c876e078348fd4479a8fdf
SHA1:6c7f20976d3e7d9bf9f8a410cbc54962d1ef52bb
SHA256:8353e30c6566795da3e5aa38a22b4707ee895cfa115ffa399cfbe7d57d00f91d
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Ms5nQdSz5l.exe (PID: 3560 cmdline: 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: BA01DF16E4C876E078348FD4479A8FDF)
    • powershell.exe (PID: 6188 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6208 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6268 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zFVxYeAVOjnwuB' /XML 'C:\Users\user\AppData\Local\Temp\tmp7635.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6424 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Ms5nQdSz5l.exe (PID: 6452 cmdline: C:\Users\user\Desktop\Ms5nQdSz5l.exe MD5: BA01DF16E4C876E078348FD4479A8FDF)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 2196 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 6848 cmdline: /c del 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.Ms5nQdSz5l.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.Ms5nQdSz5l.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.Ms5nQdSz5l.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        9.2.Ms5nQdSz5l.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.Ms5nQdSz5l.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Ms5nQdSz5l.exe' , ParentImage: C:\Users\user\Desktop\Ms5nQdSz5l.exe, ParentProcessId: 3560, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Ms5nQdSz5l.exe', ProcessId: 6188

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.kelurahanpatikidul.xyz/op9s/"], "decoy": ["playsystems-j.one", "exchange.digital", "usaleadsretrieval.com", "mervegulistanaydin.com", "heavythreadclothing.com", "attorneyperu.com", "lamuerteesdulce.com", "catxirulo.com", "willowrunconnemaras.com", "laospecial.com", "anchotrading.com", "mycreditebook.com", "jiujiu.plus", "juniperconsulting.site", "millionairsmindset.com", "coronaviruscuredrugs.com", "services-office.com", "escanaim.com", "20svip.com", "pistonpounder.com", "lasecrete.com", "sabaimeds.com", "madinatalmandi.com", "jumlasx.xyz", "smartspeicher.net", "punkyprincess.com", "herren-pharma.com", "belfastoutboard.com", "safifinancial.info", "xn--15q04wjma805a84qsls.net", "washingtonrealestatefinder.com", "jewishdiaspora.com", "aerinfranklin.com", "taylorglennconsulting.com", "fartoogood.com", "samjinblock.com", "minianimedoll.com", "saporilog.com", "littlebirdwire.com", "xn--farmasi-kayt-c5b.com", "purifiedgroup.com", "purifymd.com", "renewedspacesofva.com", "pilardasaude.com", "varietycomplex.com", "leadsprovider.info", "streamxvid.com", "manuelbriand.com", "hellosunshinecrafts.com", "hellodecimal.com", "4980057280880200.xyz", "dynmit021.digital", "hotdogvlog.com", "fairyrugs.com", "ievapocyte.com", "prospecsports.com", "proteknical.com", "36rn.com", "mongdols.com", "rentportals.com", "drcpzc.com", "h59h.com", "sonjowasi.com", "nalanmeat.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Ms5nQdSz5l.exeVirustotal: Detection: 26%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: Ms5nQdSz5l.exeJoe Sandbox ML: detected
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Ms5nQdSz5l.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Ms5nQdSz5l.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Ms5nQdSz5l.exe, 00000009.00000003.243388587.0000000000F30000.00000004.00000001.sdmp, mstsc.exe, 00000017.00000002.506619622.0000000004F60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Ms5nQdSz5l.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: Ms5nQdSz5l.exe, 00000009.00000002.389539524.0000000002FA0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.350623298.000000000F5A0000.00000002.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.kelurahanpatikidul.xyz/op9s/
          Performs DNS queries to domains with low reputationShow sources
          Source: DNS query: www.4980057280880200.xyz
          Source: global trafficHTTP traffic detected: GET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1Host: www.safifinancial.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /op9s/?kxl0=3OIkoiHCzE1hCgamnAGWyNY23l3GjmrmFj0eumUXTWZXUNP+r8qibU1KsAhTf4lNnle5&kPm0g=K8kX HTTP/1.1Host: www.safifinancial.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.safifinancial.info
          Source: powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.
          Source: powershell.exe, 00000007.00000003.422711035.0000000008CEA000.00000004.00000001.sdmpString found in binary or memory: http://crl.microszt
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.439791337.00000000048F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmpString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000B.00000000.340228589.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Ms5nQdSz5l.exe, Ms5nQdSz5l.exe, 00000009.00000000.239718276.0000000000622000.00000002.00020000.sdmp, mstsc.exe, 00000017.00000002.504404849.0000000004C22000.00000004.00000001.sdmpString found in binary or memory: https://github.com/MrCylops
          Source: powershell.exe, 00000001.00000003.340504471.000000000095B000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000001.00000003.361866562.00000000052D1000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.360111569.0000000005297000.00000004.00000001.sdmp, powershell.exe, 00000007.00000003.375059377.0000000004D54000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244848699.00000000030F4000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: Ms5nQdSz5l.exe, 00000000.00000002.242851987.0000000001380000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041A060 NtClose,9_2_0041A060
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041A110 NtAllocateVirtualMemory,9_2_0041A110
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00419F30 NtCreateFile,9_2_00419F30
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00419FE0 NtReadFile,9_2_00419FE0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_01139910
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011399A0 NtCreateSection,LdrInitializeThunk,9_2_011399A0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139840 NtDelayExecution,LdrInitializeThunk,9_2_01139840
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139860 NtQuerySystemInformation,LdrInitializeThunk,9_2_01139860
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011398F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_011398F0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A00 NtProtectVirtualMemory,LdrInitializeThunk,9_2_01139A00
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A20 NtResumeThread,LdrInitializeThunk,9_2_01139A20
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A50 NtCreateFile,LdrInitializeThunk,9_2_01139A50
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139540 NtReadFile,LdrInitializeThunk,9_2_01139540
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011395D0 NtClose,LdrInitializeThunk,9_2_011395D0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139710 NtQueryInformationToken,LdrInitializeThunk,9_2_01139710
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139780 NtMapViewOfSection,LdrInitializeThunk,9_2_01139780
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011397A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_011397A0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_01139660
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011396E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_011396E0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139950 NtQueueApcThread,9_2_01139950
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011399D0 NtCreateProcessEx,9_2_011399D0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139820 NtEnumerateKey,9_2_01139820
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113B040 NtSuspendThread,9_2_0113B040
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011398A0 NtWriteVirtualMemory,9_2_011398A0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139B00 NtSetValueKey,9_2_01139B00
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113A3B0 NtGetContextThread,9_2_0113A3B0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A10 NtQuerySection,9_2_01139A10
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139A80 NtOpenDirectoryObject,9_2_01139A80
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113AD30 NtSetContextThread,9_2_0113AD30
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139520 NtWaitForSingleObject,9_2_01139520
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139560 NtWriteFile,9_2_01139560
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011395F0 NtQueryInformationFile,9_2_011395F0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113A710 NtOpenProcessToken,9_2_0113A710
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139730 NtQueryVirtualMemory,9_2_01139730
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0113A770 NtOpenThread,9_2_0113A770
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139770 NtSetInformationFile,9_2_01139770
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139760 NtOpenProcess,9_2_01139760
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139FE0 NtCreateMutant,9_2_01139FE0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139610 NtEnumerateValueKey,9_2_01139610
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139650 NtQueryValueKey,9_2_01139650
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01139670 NtQueryInformationProcess,9_2_01139670
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011396D0 NtCreateKey,9_2_011396D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9860 NtQuerySystemInformation,LdrInitializeThunk,23_2_04FC9860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9840 NtDelayExecution,LdrInitializeThunk,23_2_04FC9840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC95D0 NtClose,LdrInitializeThunk,23_2_04FC95D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC99A0 NtCreateSection,LdrInitializeThunk,23_2_04FC99A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9540 NtReadFile,LdrInitializeThunk,23_2_04FC9540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_04FC9910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC96E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_04FC96E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC96D0 NtCreateKey,LdrInitializeThunk,23_2_04FC96D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9660 NtAllocateVirtualMemory,LdrInitializeThunk,23_2_04FC9660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9650 NtQueryValueKey,LdrInitializeThunk,23_2_04FC9650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A50 NtCreateFile,LdrInitializeThunk,23_2_04FC9A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9FE0 NtCreateMutant,LdrInitializeThunk,23_2_04FC9FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9780 NtMapViewOfSection,LdrInitializeThunk,23_2_04FC9780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9710 NtQueryInformationToken,LdrInitializeThunk,23_2_04FC9710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC98F0 NtReadVirtualMemory,23_2_04FC98F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC98A0 NtWriteVirtualMemory,23_2_04FC98A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCB040 NtSuspendThread,23_2_04FCB040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9820 NtEnumerateKey,23_2_04FC9820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC95F0 NtQueryInformationFile,23_2_04FC95F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC99D0 NtCreateProcessEx,23_2_04FC99D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9560 NtWriteFile,23_2_04FC9560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9950 NtQueueApcThread,23_2_04FC9950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCAD30 NtSetContextThread,23_2_04FCAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9520 NtWaitForSingleObject,23_2_04FC9520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A80 NtOpenDirectoryObject,23_2_04FC9A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9670 NtQueryInformationProcess,23_2_04FC9670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A20 NtResumeThread,23_2_04FC9A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9610 NtEnumerateValueKey,23_2_04FC9610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A10 NtQuerySection,23_2_04FC9A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9A00 NtProtectVirtualMemory,23_2_04FC9A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCA3B0 NtGetContextThread,23_2_04FCA3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC97A0 NtUnmapViewOfSection,23_2_04FC97A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9770 NtSetInformationFile,23_2_04FC9770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCA770 NtOpenThread,23_2_04FCA770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9760 NtOpenProcess,23_2_04FC9760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9730 NtQueryVirtualMemory,23_2_04FC9730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FCA710 NtOpenProcessToken,23_2_04FCA710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FC9B00 NtSetValueKey,23_2_04FC9B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEA060 NtClose,23_2_00AEA060
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEA110 NtAllocateVirtualMemory,23_2_00AEA110
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AE9FE0 NtReadFile,23_2_00AE9FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AE9F30 NtCreateFile,23_2_00AE9F30
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 0_2_0181C2B00_2_0181C2B0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 0_2_018199900_2_01819990
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0041E1A29_2_0041E1A2
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00409E409_2_00409E40
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010FF9009_2_010FF900
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011141209_2_01114120
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011B10029_2_011B1002
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110B0909_2_0110B090
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011220A09_2_011220A0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C20A89_2_011C20A8
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C28EC9_2_011C28EC
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C2B289_2_011C2B28
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0112EBB09_2_0112EBB0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BDBD29_2_011BDBD2
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C22AE9_2_011C22AE
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C2D079_2_011C2D07
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_010F0D209_2_010F0D20
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C1D559_2_011C1D55
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011225819_2_01122581
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C25DD9_2_011C25DD
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110D5E09_2_0110D5E0
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_0110841F9_2_0110841F
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BD4669_2_011BD466
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C1FF19_2_011C1FF1
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011BD6169_2_011BD616
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_01116E309_2_01116E30
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: 9_2_011C2EF79_2_011C2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_05051D5523_2_05051D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB20A023_2_04FB20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9B09023_2_04F9B090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9841F23_2_04F9841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_0504100223_2_05041002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F9D5E023_2_04F9D5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FB258123_2_04FB2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F80D2023_2_04F80D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA412023_2_04FA4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04F8F90023_2_04F8F900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FA6E3023_2_04FA6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_04FBEBB023_2_04FBEBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AEE1A223_2_00AEE1A2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD2D9023_2_00AD2D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD9E4023_2_00AD9E40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 23_2_00AD2FB023_2_00AD2FB0
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zFVxYeAVOjnwuB.exe 8353E30C6566795DA3E5AA38A22B4707EE895CFA115FFA399CFBE7D57D00F91D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04F8B150 appears 35 times
          Source: C:\Users\user\Desktop\Ms5nQdSz5l.exeCode function: String function: 010FB150 appears 35 times
          Source: Ms5nQdSz5l.exe, 00000000.00000002.272067090.000000000C130000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.272067090.000000000C130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000000.223690013.0000000000CF2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInvalidCastException.exe> vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.242851987.0000000001380000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.270256208.000000000C030000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.244358631.00000000030A1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000009.00000002.376511036.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInvalidCastException.exe> vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000009.00000003.244547580.000000000104F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exe, 00000009.00000002.392045961.00000000030C3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs Ms5nQdSz5l.exe
          Source: Ms5nQdSz5l.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.502856017.0000000003130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.388008675.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.492458360.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.379229616.0000000000C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.503223323.0000000003160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.374453339.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.250065201.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.Ms5nQdSz5l.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = a