Loading ...

Play interactive tourEdit tour

Analysis Report COVID-19-Related Requirements.exe

Overview

General Information

Sample Name:COVID-19-Related Requirements.exe
Analysis ID:425178
MD5:7efd588df5d918372c111708f02cc3ce
SHA1:de98b083ed7e8b78be25cacf0715d15dd04228f5
SHA256:de0011128191babcbdb339d2ab7f9568e0b12c5ebc00a99c235fea849885b6a1
Tags:COVID-19exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • COVID-19-Related Requirements.exe (PID: 6852 cmdline: 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe' MD5: 7EFD588DF5D918372C111708F02CC3CE)
    • COVID-19-Related Requirements.exe (PID: 6964 cmdline: {path} MD5: 7EFD588DF5D918372C111708F02CC3CE)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 4112 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 5768 cmdline: /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tiffanysbeautybling.com/cgsp/"], "decoy": ["dzxcsy.com", "communication-digitale.net", "darkspot.pro", "neighborschoicefranchise.com", "mujeresaprendices.com", "ryanita.com", "karmelbali.com", "lengzu.net", "archoneshop.com", "auszeit-online.com", "incredikit.com", "theostermangroup.com", "challengesbringsuccess.com", "thegoddogcure.com", "missshalae.com", "mulherviaje.com", "danieljosephmuldoon.com", "plantitasmke.com", "lyson.info", "boardwalkcafebeaufort.com", "genesisdrumco.com", "bynature4nature.com", "notesfromthelovewars.com", "klimabeyazesyatamiri.xyz", "micatholics4biden.com", "epicdentalacademy.com", "lucrarsemfronteiras.com", "fmgurbanoutlet.com", "tonkuik.fyi", "sfypband.com", "aspeneaterys.com", "obzophigkr.net", "portablesteamsaunas.com", "clubroyals.com", "658194.com", "samuelhere.com", "footfull.info", "riptidetutorials.com", "catanetwork.com", "nocodecrypto.com", "kisukine.com", "tag-less-poets.com", "juxrams.info", "thebrandvoicemagazine.com", "montanablogs.com", "productos-photon.com", "aibetech.com", "wg101.com", "coefficientinsurence.com", "arinasystem.com", "elgrabador.com", "thewanderers.info", "openbracketindia.com", "saya-pai.com", "healthyskepticmd.com", "lumberlandjsc.xyz", "chanelkonferenz.online", "ajretrobg.com", "libittu.com", "oneroofingnearme.com", "pyd.xyz", "aikookuyama1.com", "partners-net.com", "imrichardallan.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        15.2.COVID-19-Related Requirements.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.2.COVID-19-Related Requirements.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tiffanysbeautybling.com/cgsp/"], "decoy": ["dzxcsy.com", "communication-digitale.net", "darkspot.pro", "neighborschoicefranchise.com", "mujeresaprendices.com", "ryanita.com", "karmelbali.com", "lengzu.net", "archoneshop.com", "auszeit-online.com", "incredikit.com", "theostermangroup.com", "challengesbringsuccess.com", "thegoddogcure.com", "missshalae.com", "mulherviaje.com", "danieljosephmuldoon.com", "plantitasmke.com", "lyson.info", "boardwalkcafebeaufort.com", "genesisdrumco.com", "bynature4nature.com", "notesfromthelovewars.com", "klimabeyazesyatamiri.xyz", "micatholics4biden.com", "epicdentalacademy.com", "lucrarsemfronteiras.com", "fmgurbanoutlet.com", "tonkuik.fyi", "sfypband.com", "aspeneaterys.com", "obzophigkr.net", "portablesteamsaunas.com", "clubroyals.com", "658194.com", "samuelhere.com", "footfull.info", "riptidetutorials.com", "catanetwork.com", "nocodecrypto.com", "kisukine.com", "tag-less-poets.com", "juxrams.info", "thebrandvoicemagazine.com", "montanablogs.com", "productos-photon.com", "aibetech.com", "wg101.com", "coefficientinsurence.com", "arinasystem.com", "elgrabador.com", "thewanderers.info", "openbracketindia.com", "saya-pai.com", "healthyskepticmd.com", "lumberlandjsc.xyz", "chanelkonferenz.online", "ajretrobg.com", "libittu.com", "oneroofingnearme.com", "pyd.xyz", "aikookuyama1.com", "partners-net.com", "imrichardallan.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: COVID-19-Related Requirements.exeVirustotal: Detection: 23%Perma Link
          Source: COVID-19-Related Requirements.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: COVID-19-Related Requirements.exeJoe Sandbox ML: detected
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: COVID-19-Related Requirements.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: COVID-19-Related Requirements.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: COVID-19-Related Requirements.exe, 0000000F.00000002.485261731.0000000001AA0000.00000040.00000001.sdmp, wscript.exe, 00000013.00000002.598596904.0000000004E9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: COVID-19-Related Requirements.exe, wscript.exe
          Source: Binary string: wscript.pdb source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 4x nop then pop edi15_2_0040E3C8
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 4x nop then pop edi15_2_0040E427
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi19_2_00B1E3C8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi19_2_00B1E427

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.tiffanysbeautybling.com/cgsp/
          Source: global trafficHTTP traffic detected: GET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1Host: www.portablesteamsaunas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: global trafficHTTP traffic detected: GET /cgsp/?zR-4q=wCZjRreTETPxpz3yzi5aMK9lgrBwWrXWegbflPnh9KjaaDHMPgi5SZz4hafy+YGLKOgeKwGRDg==&hB0=D8yhC83P6d34H HTTP/1.1Host: www.portablesteamsaunas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.portablesteamsaunas.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000010.00000000.435521033.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comcom
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.432559159.0000000001877000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commQ
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmpString found in binary or memory: http://www.portablesteamsaunas.com
          Source: wscript.exe, 00000013.00000002.600969129.000000000579F000.00000004.00000001.sdmpString found in binary or memory: http://www.portablesteamsaunas.com/
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.439653802.0000000006280000.00000002.00000001.sdmp, explorer.exe, 00000010.00000000.464256328.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: COVID-19-Related Requirements.exeString found in binary or memory: https://api.imgur.com/3/image/
          Source: COVID-19-Related Requirements.exeString found in binary or memory: https://api.imgur.com/oauth2/authorize?client_id=
          Source: COVID-19-Related Requirements.exeString found in binary or memory: https://api.imgur.com/oauth2/token

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041A060 NtClose,15_2_0041A060
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041A110 NtAllocateVirtualMemory,15_2_0041A110
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00419F30 NtCreateFile,15_2_00419F30
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00419FE0 NtReadFile,15_2_00419FE0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00419FDC NtReadFile,15_2_00419FDC
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B099A0 NtCreateSection,LdrInitializeThunk,15_2_01B099A0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_01B09910
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B098F0 NtReadVirtualMemory,LdrInitializeThunk,15_2_01B098F0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09860 NtQuerySystemInformation,LdrInitializeThunk,15_2_01B09860
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09840 NtDelayExecution,LdrInitializeThunk,15_2_01B09840
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A20 NtResumeThread,LdrInitializeThunk,15_2_01B09A20
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A00 NtProtectVirtualMemory,LdrInitializeThunk,15_2_01B09A00
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A50 NtCreateFile,LdrInitializeThunk,15_2_01B09A50
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B095D0 NtClose,LdrInitializeThunk,15_2_01B095D0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09540 NtReadFile,LdrInitializeThunk,15_2_01B09540
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B097A0 NtUnmapViewOfSection,LdrInitializeThunk,15_2_01B097A0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09780 NtMapViewOfSection,LdrInitializeThunk,15_2_01B09780
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09710 NtQueryInformationToken,LdrInitializeThunk,15_2_01B09710
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B096E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_01B096E0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_01B09660
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B099D0 NtCreateProcessEx,15_2_01B099D0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09950 NtQueueApcThread,15_2_01B09950
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B098A0 NtWriteVirtualMemory,15_2_01B098A0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09820 NtEnumerateKey,15_2_01B09820
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0B040 NtSuspendThread,15_2_01B0B040
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0A3B0 NtGetContextThread,15_2_01B0A3B0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09B00 NtSetValueKey,15_2_01B09B00
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A80 NtOpenDirectoryObject,15_2_01B09A80
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09A10 NtQuerySection,15_2_01B09A10
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B095F0 NtQueryInformationFile,15_2_01B095F0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0AD30 NtSetContextThread,15_2_01B0AD30
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09520 NtWaitForSingleObject,15_2_01B09520
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09560 NtWriteFile,15_2_01B09560
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09FE0 NtCreateMutant,15_2_01B09FE0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09730 NtQueryVirtualMemory,15_2_01B09730
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0A710 NtOpenProcessToken,15_2_01B0A710
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B0A770 NtOpenThread,15_2_01B0A770
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09770 NtSetInformationFile,15_2_01B09770
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09760 NtOpenProcess,15_2_01B09760
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B096D0 NtCreateKey,15_2_01B096D0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09610 NtEnumerateValueKey,15_2_01B09610
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09670 NtQueryInformationProcess,15_2_01B09670
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B09650 NtQueryValueKey,15_2_01B09650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE95D0 NtClose,LdrInitializeThunk,19_2_04DE95D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9540 NtReadFile,LdrInitializeThunk,19_2_04DE9540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE96D0 NtCreateKey,LdrInitializeThunk,19_2_04DE96D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE96E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04DE96E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9650 NtQueryValueKey,LdrInitializeThunk,19_2_04DE9650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04DE9660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9FE0 NtCreateMutant,LdrInitializeThunk,19_2_04DE9FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9780 NtMapViewOfSection,LdrInitializeThunk,19_2_04DE9780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9710 NtQueryInformationToken,LdrInitializeThunk,19_2_04DE9710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9840 NtDelayExecution,LdrInitializeThunk,19_2_04DE9840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04DE9860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE99A0 NtCreateSection,LdrInitializeThunk,19_2_04DE99A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04DE9910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A50 NtCreateFile,LdrInitializeThunk,19_2_04DE9A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE95F0 NtQueryInformationFile,19_2_04DE95F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9560 NtWriteFile,19_2_04DE9560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEAD30 NtSetContextThread,19_2_04DEAD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9520 NtWaitForSingleObject,19_2_04DE9520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9670 NtQueryInformationProcess,19_2_04DE9670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9610 NtEnumerateValueKey,19_2_04DE9610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE97A0 NtUnmapViewOfSection,19_2_04DE97A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEA770 NtOpenThread,19_2_04DEA770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9770 NtSetInformationFile,19_2_04DE9770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9760 NtOpenProcess,19_2_04DE9760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEA710 NtOpenProcessToken,19_2_04DEA710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9730 NtQueryVirtualMemory,19_2_04DE9730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE98F0 NtReadVirtualMemory,19_2_04DE98F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE98A0 NtWriteVirtualMemory,19_2_04DE98A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEB040 NtSuspendThread,19_2_04DEB040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9820 NtEnumerateKey,19_2_04DE9820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE99D0 NtCreateProcessEx,19_2_04DE99D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9950 NtQueueApcThread,19_2_04DE9950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A80 NtOpenDirectoryObject,19_2_04DE9A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A10 NtQuerySection,19_2_04DE9A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A00 NtProtectVirtualMemory,19_2_04DE9A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9A20 NtResumeThread,19_2_04DE9A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DEA3B0 NtGetContextThread,19_2_04DEA3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DE9B00 NtSetValueKey,19_2_04DE9B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2A060 NtClose,19_2_00B2A060
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2A110 NtAllocateVirtualMemory,19_2_00B2A110
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B29FE0 NtReadFile,19_2_00B29FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B29F30 NtCreateFile,19_2_00B29F30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B29FDC NtReadFile,19_2_00B29FDC
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FC1941_2_018FC194
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FEB281_2_018FEB28
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 1_2_018FEB381_2_018FEB38
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041E85C15_2_0041E85C
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0040103015_2_00401030
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041E17E15_2_0041E17E
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D18915_2_0041D189
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_0041D58715_2_0041D587
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00402D8815_2_00402D88
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00402D9015_2_00402D90
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00409E4015_2_00409E40
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_00402FB015_2_00402FB0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE412015_2_01AE4120
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ACF90015_2_01ACF900
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF20A015_2_01AF20A0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B920A815_2_01B920A8
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADB09015_2_01ADB090
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B928EC15_2_01B928EC
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9E82415_2_01B9E824
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8100215_2_01B81002
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AFEBB015_2_01AFEBB0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B803DA15_2_01B803DA
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8DBD215_2_01B8DBD2
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B92B2815_2_01B92B28
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B922AE15_2_01B922AE
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AF258115_2_01AF2581
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01ADD5E015_2_01ADD5E0
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B925DD15_2_01B925DD
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AC0D2015_2_01AC0D20
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B92D0715_2_01B92D07
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B91D5515_2_01B91D55
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AD841F15_2_01AD841F
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8D46615_2_01B8D466
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B91FF115_2_01B91FF1
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B9DFCE15_2_01B9DFCE
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B92EF715_2_01B92EF7
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01AE6E3015_2_01AE6E30
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: 15_2_01B8D61615_2_01B8D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6D46619_2_04E6D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DB841F19_2_04DB841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E725DD19_2_04E725DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBD5E019_2_04DBD5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD258119_2_04DD2581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E71D5519_2_04E71D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E72D0719_2_04E72D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DA0D2019_2_04DA0D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E72EF719_2_04E72EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC6E3019_2_04DC6E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6D61619_2_04E6D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E71FF119_2_04E71FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7DFCE19_2_04E7DFCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E728EC19_2_04E728EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DBB09019_2_04DBB090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E720A819_2_04E720A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DD20A019_2_04DD20A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E7E82419_2_04E7E824
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6100219_2_04E61002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DAF90019_2_04DAF900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DC412019_2_04DC4120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E722AE19_2_04E722AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E6DBD219_2_04E6DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04DDEBB019_2_04DDEBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_04E72B2819_2_04E72B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2E85C19_2_00B2E85C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B2E17E19_2_00B2E17E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B12D9019_2_00B12D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B12D8819_2_00B12D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B19E4019_2_00B19E40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 19_2_00B12FB019_2_00B12FB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04DAB150 appears 35 times
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeCode function: String function: 01ACB150 appears 35 times
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.430989730.0000000000F64000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433207699.0000000003333000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.433207699.0000000003333000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.448500832.0000000007780000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 00000001.00000002.432940661.0000000003291000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000D.00000000.427927529.00000000003C4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000E.00000002.429267857.00000000002B4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000F.00000002.487052680.0000000001BBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000F.00000000.429960231.0000000000FB4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exeBinary or memory string: OriginalFilenameCo2vKXXLQkGY.exe@ vs COVID-19-Related Requirements.exe
          Source: COVID-19-Related Requirements.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.481749515.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.484219002.0000000001960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.484584798.0000000001990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.597531412.0000000002F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.597396184.0000000002F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.434950366.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.596048220.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.COVID-19-Related Requirements.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: COVID-19-Related Requirements.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: COVID-19-Related Requirements.exe, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.COVID-19-Related Requirements.exe.ef0000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.COVID-19-Related Requirements.exe.ef0000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 13.0.COVID-19-Related Requirements.exe.350000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 13.2.COVID-19-Related Requirements.exe.350000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 14.0.COVID-19-Related Requirements.exe.240000.0.unpack, Reboot_IMG/AreaCaptureForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/1@1/1
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COVID-19-Related Requirements.exe.logJump to behavior
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeMutant created: \Sessions\1\BaseNamedObjects\KggIKjEuKlfWFkr
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1340:120:WilError_01
          Source: COVID-19-Related Requirements.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: COVID-19-Related Requirements.exeVirustotal: Detection: 23%
          Source: COVID-19-Related Requirements.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeFile read: C:\Users\user\Desktop\COVID-19-Related Requirements.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeProcess created: C:\Users\user\Desktop\COVID-19-Related Requirements.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\COVID-19-Related Requirements.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\COVID-19-Related Requirements.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: COVID-19-Related Requirements.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: COVID-19-Related Requirements.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: COVID-19-Related Requirements.exe, 0000000F.00000002.485261731.0000000001AA0000.00000040.00000001.sdmp, wscript.exe, 00000013.00000002.598596904.0000000004E9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: COVID-19-Related Requirements.exe, wscript.exe
          Source: Binary string: wscript.pdb source: COVID-19-Related Requirements.exe, 0000000F.00000002.485075034.00000000019E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.460588172.0000000007CA0000.00000002.00000001.sdmp