Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Sample Name:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Analysis ID:	412016
MD5:	33d849675e66bf8332b4bb2e4a1d923f
SHA1:	5a6a124d73391b021ffb15b5fe0bef53882e9d9b
SHA256:	77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Multi AV Scanner detection for submitted file

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Virustotal: Detection: 58%			Perma Link
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0B777B00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0B777BB4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0B777AF0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4x nop then pop ebx	3_2_00406A9A

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rogegalmish.com/a8si/

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338326905.0000000002DB1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_004181C0 NtCreateFile,	3_2_004181C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00418270 NtReadFile,	3_2_00418270
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_004182F0 NtClose,	3_2_004182F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_004183A0 NtAllocateVirtualMemory,	3_2_004183A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041826A NtReadFile,	3_2_0041826A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041839A NtAllocateVirtualMemory,	3_2_0041839A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01369860
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01369660
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_013696E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369910 NtAdjustPrivilegesToken,	3_2_01369910
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369950 NtQueueApcThread,	3_2_01369950
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013699A0 NtCreateSection,	3_2_013699A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013699D0 NtCreateProcessEx,	3_2_013699D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369820 NtEnumerateKey,	3_2_01369820
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0136B040 NtSuspendThread,	3_2_0136B040
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369840 NtDelayExecution,	3_2_01369840
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013698A0 NtWriteVirtualMemory,	3_2_013698A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013698F0 NtReadVirtualMemory,	3_2_013698F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369B00 NtSetValueKey,	3_2_01369B00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0136A3B0 NtGetContextThread,	3_2_0136A3B0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369A20 NtResumeThread,	3_2_01369A20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369A10 NtQuerySection,	3_2_01369A10
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369A00 NtProtectVirtualMemory,	3_2_01369A00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369A50 NtCreateFile,	3_2_01369A50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369A80 NtOpenDirectoryObject,	3_2_01369A80
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0136AD30 NtSetContextThread,	3_2_0136AD30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369520 NtWaitForSingleObject,	3_2_01369520
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369560 NtWriteFile,	3_2_01369560
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369540 NtReadFile,	3_2_01369540
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013695F0 NtQueryInformationFile,	3_2_013695F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013695D0 NtClose,	3_2_013695D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369730 NtQueryVirtualMemory,	3_2_01369730
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369710 NtQueryInformationToken,	3_2_01369710
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0136A710 NtOpenProcessToken,	3_2_0136A710
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0136A770 NtOpenThread,	3_2_0136A770
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369770 NtSetInformationFile,	3_2_01369770
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369760 NtOpenProcess,	3_2_01369760
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013697A0 NtUnmapViewOfSection,	3_2_013697A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369780 NtMapViewOfSection,	3_2_01369780
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369FE0 NtCreateMutant,	3_2_01369FE0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369610 NtEnumerateValueKey,	3_2_01369610
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369670 NtQueryInformationProcess,	3_2_01369670
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01369650 NtQueryValueKey,	3_2_01369650

Detected potential crypto function

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_02C4C2B0	0_2_02C4C2B0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_02C49968	0_2_02C49968
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B778221	0_2_0B778221
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B770FA8	0_2_0B770FA8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B770040	0_2_0B770040
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B770033	0_2_0B770033
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B7717E8	0_2_0B7717E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B7717D9	0_2_0B7717D9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B770F98	0_2_0B770F98
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B773660	0_2_0B773660
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B771E40	0_2_0B771E40
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B771E39	0_2_0B771E39
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B775690	0_2_0B775690
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B775680	0_2_0B775680
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B7714E0	0_2_0B7714E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B7714CF	0_2_0B7714CF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041C273	3_2_0041C273
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041BAA2	3_2_0041BAA2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00408C5B	3_2_00408C5B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041BC22	3_2_0041BC22
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041CC24	3_2_0041CC24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041B4A6	3_2_0041B4A6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041BD4F	3_2_0041BD4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041C501	3_2_0041C501
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041BDBD	3_2_0041BDBD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041BF3C	3_2_0041BF3C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041C7A5	3_2_0041C7A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01344120	3_2_01344120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0132F900	3_2_0132F900
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013499BF	3_2_013499BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01342990	3_2_01342990
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0133C1C0	3_2_0133C1C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0134A830	3_2_0134A830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013FE824	3_2_013FE824
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0135701D	3_2_0135701D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01326800	3_2_01326800
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E1002	3_2_013E1002
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013520A0	3_2_013520A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F20A8	3_2_013F20A8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0133B090	3_2_0133B090
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E60F5	3_2_013E60F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F28EC	3_2_013F28EC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F2B28	3_2_013F2B28
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E231B	3_2_013E231B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0134A309	3_2_0134A309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01343360	3_2_01343360
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013CCB4F	3_2_013CCB4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0134AB40	3_2_0134AB40
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0135EBB0	3_2_0135EBB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0134EB9A	3_2_0134EB9A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013CEB8A	3_2_013CEB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0135138B	3_2_0135138B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013D23E3	3_2_013D23E3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01378BE8	3_2_01378BE8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E03DA	3_2_013E03DA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013EDBD2	3_2_013EDBD2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0135ABD8	3_2_0135ABD8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0134B236	3_2_0134B236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013DFA2B	3_2_013DFA2B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E5A4F	3_2_013E5A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F22AE	3_2_013F22AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F32A9	3_2_013F32A9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E4AEF	3_2_013E4AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013EE2C5	3_2_013EE2C5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01320D20	3_2_01320D20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F2D07	3_2_013F2D07
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01342D50	3_2_01342D50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F1D55	3_2_013F1D55
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013565A0	3_2_013565A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01352581	3_2_01352581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E2D82	3_2_013E2D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0133D5E0	3_2_0133D5E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F25DD	3_2_013F25DD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01342430	3_2_01342430
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0133841F	3_2_0133841F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0134B477	3_2_0134B477
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013ED466	3_2_013ED466
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E4496	3_2_013E4496
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01354CD4	3_2_01354CD4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013F1FF1	3_2_013F1FF1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013E67E2	3_2_013E67E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013FDFCE	3_2_013FDFCE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01346E30	3_2_01346E30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013ED616	3_2_013ED616
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_01345600	3_2_01345600
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_013AAE60	3_2_013AAE60

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 0132B150 appears 159 times
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 0137D08C appears 46 times
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 013B5720 appears 81 times

PE file contains strange resources

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.337682836.0000000000B2A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.342343612.0000000006220000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338326905.0000000002DB1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000002.00000000.335604595.000000000038A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.338967434.000000000091A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.339718035.00000000015AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Binary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Uses 32bit PE files

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@5/1@0/0

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.log

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe'
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0B7705DC push ebx; iretd	0_2_0B7705DD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_004161E7 push edi; retf	3_2_004161E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_004151B4 pushfd ; ret	3_2_004151D9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041B3B5 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041B46C push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041B402 push eax; ret	3_2_0041B408
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041B40B push eax; ret	3_2_0041B472
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0041543B pushfd ; iretd	3_2_0041543E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_00415485 push edx; ret	3_2_00415496
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 3_2_0137D0D1 push ecx; ret	3_2_0137D0E4

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6764, type: MEMORY

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 6768	Thread sleep time: -100297s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 6788	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 100297			Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

ID:	412016
Product:	CloudBasic
Start time:	10:41:28
Start date:	12.05.2021
Sample:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	33d849675e66bf8332b4bb2e4a1d923f
SHA1:	5a6a124d73391b021ffb15b5fe0bef53882e9d9b
SHA256:	77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs