Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Sample Name:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Analysis ID:	411744
MD5:	306237cff93b7d61b1f72c400a9522e1
SHA1:	aa8942a24452ac6e95feb05f1a5038d006f08c4d
SHA256:	4ffd8307eca6e6b382c035cb0ad32e52f37f9180e092764d6224d97557ef8ec9
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Multi AV Scanner detection for submitted file

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Virustotal: Detection: 34%	Perma Link
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Metadefender: Detection: 38%	Perma Link
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Code function: 4x nop then pop ebx

4_2_00406A9A

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rogegalmish.com/a8si/

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657480728.00000000058CB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680325425.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660140019.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660140019.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtigK&
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662560278.00000000058E5000.00000004.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663739401.00000000058E5000.00000004.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662263041.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663430742.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers1
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662560278.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersV0
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663769723.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.669067713.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersz0
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680256955.0000000000D07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgritan
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657228680.00000000058B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657286654.00000000058CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659151965.00000000058B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.658694270.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTCV
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.664941588.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmn6
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659049481.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.658694270.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr.TTF
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.668655621.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotT.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660255920.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comY
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660255920.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlicB
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657480728.00000000058CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	String found in binary or memory: http://www.webstarmax.com/
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	String found in binary or memory: http://www.webstarmax.com/9mailto:office
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004181C0 NtCreateFile,	4_2_004181C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00418270 NtReadFile,	4_2_00418270
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004182F0 NtClose,	4_2_004182F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004183A0 NtAllocateVirtualMemory,	4_2_004183A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041826A NtReadFile,	4_2_0041826A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041839A NtAllocateVirtualMemory,	4_2_0041839A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_010D9860
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_010D9660
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_010D96E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9910 NtAdjustPrivilegesToken,	4_2_010D9910
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9950 NtQueueApcThread,	4_2_010D9950
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D99A0 NtCreateSection,	4_2_010D99A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D99D0 NtCreateProcessEx,	4_2_010D99D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9820 NtEnumerateKey,	4_2_010D9820
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DB040 NtSuspendThread,	4_2_010DB040
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9840 NtDelayExecution,	4_2_010D9840
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D98A0 NtWriteVirtualMemory,	4_2_010D98A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D98F0 NtReadVirtualMemory,	4_2_010D98F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9B00 NtSetValueKey,	4_2_010D9B00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DA3B0 NtGetContextThread,	4_2_010DA3B0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A00 NtProtectVirtualMemory,	4_2_010D9A00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A10 NtQuerySection,	4_2_010D9A10
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A20 NtResumeThread,	4_2_010D9A20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A50 NtCreateFile,	4_2_010D9A50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A80 NtOpenDirectoryObject,	4_2_010D9A80
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9520 NtWaitForSingleObject,	4_2_010D9520
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DAD30 NtSetContextThread,	4_2_010DAD30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9540 NtReadFile,	4_2_010D9540
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9560 NtWriteFile,	4_2_010D9560
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D95D0 NtClose,	4_2_010D95D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D95F0 NtQueryInformationFile,	4_2_010D95F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9710 NtQueryInformationToken,	4_2_010D9710
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DA710 NtOpenProcessToken,	4_2_010DA710
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9730 NtQueryVirtualMemory,	4_2_010D9730
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9760 NtOpenProcess,	4_2_010D9760
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DA770 NtOpenThread,	4_2_010DA770
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9770 NtSetInformationFile,	4_2_010D9770
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9780 NtMapViewOfSection,	4_2_010D9780
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D97A0 NtUnmapViewOfSection,	4_2_010D97A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9FE0 NtCreateMutant,	4_2_010D9FE0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9610 NtEnumerateValueKey,	4_2_010D9610

Detected potential crypto function

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_001E2C24	0_2_001E2C24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CBA10C	0_2_00CBA10C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CBD4E8	0_2_00CBD4E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07388717	0_2_07388717
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07388965	0_2_07388965
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384668	0_2_07384668
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384657	0_2_07384657
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383337	0_2_07383337
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_073883A0	0_2_073883A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07385BC0	0_2_07385BC0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07386210	0_2_07386210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383210	0_2_07383210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0738620D	0_2_0738620D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_073832F9	0_2_073832F9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0738893E	0_2_0738893E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384955	0_2_07384955
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384148	0_2_07384148
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384142	0_2_07384142
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_073889F3	0_2_073889F3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383838	0_2_07383838
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0738001F	0_2_0738001F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383808	0_2_07383808
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07380040	0_2_07380040
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07780610	0_2_07780610
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778A6F1	0_2_0778A6F1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07785EB0	0_2_07785EB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07780D78	0_2_07780D78
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07789568	0_2_07789568
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07789D61	0_2_07789D61
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07783D30	0_2_07783D30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B5C8	0_2_0778B5C8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778DD88	0_2_0778DD88
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_077863F4	0_2_077863F4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07786AD0	0_2_07786AD0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_077861C1	0_2_077861C1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B754	0_2_0778B754
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B7D5	0_2_0778B7D5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778D790	0_2_0778D790
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778D782	0_2_0778D782
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B6E6	0_2_0778B6E6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07785EA1	0_2_07785EA1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041C273	4_2_0041C273
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BAA2	4_2_0041BAA2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00408C5B	4_2_00408C5B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BC22	4_2_0041BC22
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041CC24	4_2_0041CC24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B4A6	4_2_0041B4A6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BD4F	4_2_0041BD4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041C501	4_2_0041C501
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BDBD	4_2_0041BDBD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BF3C	4_2_0041BF3C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041C7A5	4_2_0041C7A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00622C24	4_2_00622C24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109F900	4_2_0109F900
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2990	4_2_010B2990
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AC1C0	4_2_010AC1C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01096800	4_2_01096800
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151002	4_2_01151002
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116E824	4_2_0116E824
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA830	4_2_010BA830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB090	4_2_010AB090
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011620A8	4_2_011620A8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011560F5	4_2_011560F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011628EC	4_2_011628EC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115231B	4_2_0115231B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01162B28	4_2_01162B28
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BAB40	4_2_010BAB40
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113CB4F	4_2_0113CB4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B3360	4_2_010B3360
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C138B	4_2_010C138B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BEB9A	4_2_010BEB9A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113EB8A	4_2_0113EB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CEBB0	4_2_010CEBB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115DBD2	4_2_0115DBD2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011503DA	4_2_011503DA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CABD8	4_2_010CABD8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010E8BE8	4_2_010E8BE8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011423E3	4_2_011423E3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114FA2B	4_2_0114FA2B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01155A4F	4_2_01155A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011622AE	4_2_011622AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011632A9	4_2_011632A9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115E2C5	4_2_0115E2C5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01162D07	4_2_01162D07
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01090D20	4_2_01090D20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01161D55	4_2_01161D55
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2D50	4_2_010B2D50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2581	4_2_010C2581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C65A0	4_2_010C65A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011625DD	4_2_011625DD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AD5E0	4_2_010AD5E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A841F	4_2_010A841F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2430	4_2_010B2430
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115CC77	4_2_0115CC77
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115D466	4_2_0115D466
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB477	4_2_010BB477
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154496	4_2_01154496
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4CD4	4_2_010C4CD4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116DFCE	4_2_0116DFCE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01161FF1	4_2_01161FF1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011567E2	4_2_011567E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115D616	4_2_0115D616
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B5600	4_2_010B5600
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B6E30	4_2_010B6E30

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 010ED08C appears 44 times
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 01125720 appears 84 times
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 0109B150 appears 174 times

PE file contains strange resources

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.691734327.0000000006F80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.692438491.00000000076D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.679185423.00000000002BA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMemberFilter.exe< vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000002.682772982.000000000131F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000000.678183557.00000000006FA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMemberFilter.exe< vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Binary or memory string: OriginalFilenameMemberFilter.exe< vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Uses 32bit PE files

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.log

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe'
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CB0438 pushad ; iretd	0_2_00CB043A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CB043F pushad ; iretd	0_2_00CB0442
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CBCB98 pushfd ; ret	0_2_00CBCB99
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07388AEE push esi; iretd	0_2_07388AF0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07783652 push eax; retf	0_2_07783679
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004161E7 push edi; retf	4_2_004161E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004151B4 pushfd ; ret	4_2_004151D9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B3B5 push eax; ret	4_2_0041B408
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B46C push eax; ret	4_2_0041B472
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B402 push eax; ret	4_2_0041B408
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B40B push eax; ret	4_2_0041B472
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041543B pushfd ; iretd	4_2_0041543E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00415485 push edx; ret	4_2_00415496
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ED0D1 push ecx; ret	4_2_010ED0E4

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 7028, type: MEMORY

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 7072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 7032	Thread sleep time: -103866s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

ID:	411744
Product:	CloudBasic
Start time:	06:07:19
Start date:	12.05.2021
Sample:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	306237cff93b7d61b1f72c400a9522e1
SHA1:	aa8942a24452ac6e95feb05f1a5038d006f08c4d
SHA256:	4ffd8307eca6e6b382c035cb0ad32e52f37f9180e092764d6224d97557ef8ec9
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs