Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed2.43183.29557.7257

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed2.43183.29557.7257 (renamed file extension from 7257 to exe)
Analysis ID:432683
MD5:4e9095ceadd56bc68a99947ab929f691
SHA1:bce676ea49fb6709dc0e9a23df2e918e05b4074b
SHA256:1fe427cfa805bbabdc371ae3f6ccea4088ca76e8b9fce9828a74885d72339020
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed2.43183.29557.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe' MD5: 4E9095CEADD56BC68A99947AB929F691)
    • AddInProcess32.exe (PID: 6200 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 2108 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 4812 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8190:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x851a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1422d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13d19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1432f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x144a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x8f32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12f94:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9caa:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1931f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a3c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16251:$sqlite3step: 68 34 1C 7B E1
    • 0x16364:$sqlite3step: 68 34 1C 7B E1
    • 0x16280:$sqlite3text: 68 38 2A 90 C5
    • 0x163a5:$sqlite3text: 68 38 2A 90 C5
    • 0x16293:$sqlite3blob: 68 53 D8 7F 8C
    • 0x163bb:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.0.AddInProcess32.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        11.0.AddInProcess32.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        11.0.AddInProcess32.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        11.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeVirustotal: Detection: 33%Perma Link
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeJoe Sandbox ML: detected
          Source: 11.0.AddInProcess32.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
          Source: Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.roamallday.com/sadn/
          Source: global trafficHTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 13.59.53.244 13.59.53.244
          Source: global trafficHTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.granthamrobotics.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 14:59:57 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1P
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gP
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjP
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652216791.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.d
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731660422.0000000002780000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000C.00000000.736993153.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, j2DC/Rb6y.csLarge array initialization: .cctor: array initializer size 3852
          Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.csLarge array initialization: .cctor: array initializer size 3852
          Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.csLarge array initialization: .cctor: array initializer size 3852
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004181B0 NtCreateFile,11_2_004181B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00418260 NtReadFile,11_2_00418260
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004182E0 NtClose,11_2_004182E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00418390 NtAllocateVirtualMemory,11_2_00418390
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004181AA NtCreateFile,11_2_004181AA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041825A NtReadFile,11_2_0041825A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004182E2 NtClose,11_2_004182E2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_017F9910
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F99A0 NtCreateSection,LdrInitializeThunk,11_2_017F99A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9860 NtQuerySystemInformation,LdrInitializeThunk,11_2_017F9860
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9840 NtDelayExecution,LdrInitializeThunk,11_2_017F9840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F98F0 NtReadVirtualMemory,LdrInitializeThunk,11_2_017F98F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A50 NtCreateFile,LdrInitializeThunk,11_2_017F9A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A20 NtResumeThread,LdrInitializeThunk,11_2_017F9A20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A00 NtProtectVirtualMemory,LdrInitializeThunk,11_2_017F9A00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9540 NtReadFile,LdrInitializeThunk,11_2_017F9540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F95D0 NtClose,LdrInitializeThunk,11_2_017F95D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9710 NtQueryInformationToken,LdrInitializeThunk,11_2_017F9710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9FE0 NtCreateMutant,LdrInitializeThunk,11_2_017F9FE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F97A0 NtUnmapViewOfSection,LdrInitializeThunk,11_2_017F97A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9780 NtMapViewOfSection,LdrInitializeThunk,11_2_017F9780
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_017F9660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F96E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_017F96E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9950 NtQueueApcThread,11_2_017F9950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F99D0 NtCreateProcessEx,11_2_017F99D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FB040 NtSuspendThread,11_2_017FB040
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9820 NtEnumerateKey,11_2_017F9820
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F98A0 NtWriteVirtualMemory,11_2_017F98A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9B00 NtSetValueKey,11_2_017F9B00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FA3B0 NtGetContextThread,11_2_017FA3B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A10 NtQuerySection,11_2_017F9A10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A80 NtOpenDirectoryObject,11_2_017F9A80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9560 NtWriteFile,11_2_017F9560
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FAD30 NtSetContextThread,11_2_017FAD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9520 NtWaitForSingleObject,11_2_017F9520
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F95F0 NtQueryInformationFile,11_2_017F95F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FA770 NtOpenThread,11_2_017FA770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9770 NtSetInformationFile,11_2_017F9770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9760 NtOpenProcess,11_2_017F9760
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9730 NtQueryVirtualMemory,11_2_017F9730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FA710 NtOpenProcessToken,11_2_017FA710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9670 NtQueryInformationProcess,11_2_017F9670
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9650 NtQueryValueKey,11_2_017F9650
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9610 NtEnumerateValueKey,11_2_017F9610
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F96D0 NtCreateKey,11_2_017F96D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9540 NtReadFile,LdrInitializeThunk,17_2_045B9540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B95D0 NtClose,LdrInitializeThunk,17_2_045B95D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9650 NtQueryValueKey,LdrInitializeThunk,17_2_045B9650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_045B9660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B96D0 NtCreateKey,LdrInitializeThunk,17_2_045B96D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_045B96E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,17_2_045B9710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,17_2_045B9FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,17_2_045B9780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9840 NtDelayExecution,LdrInitializeThunk,17_2_045B9840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_045B9860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_045B9910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B99A0 NtCreateSection,LdrInitializeThunk,17_2_045B99A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A50 NtCreateFile,LdrInitializeThunk,17_2_045B9A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9560 NtWriteFile,17_2_045B9560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BAD30 NtSetContextThread,17_2_045BAD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9520 NtWaitForSingleObject,17_2_045B9520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B95F0 NtQueryInformationFile,17_2_045B95F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9670 NtQueryInformationProcess,17_2_045B9670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9610 NtEnumerateValueKey,17_2_045B9610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BA770 NtOpenThread,17_2_045BA770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9770 NtSetInformationFile,17_2_045B9770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9760 NtOpenProcess,17_2_045B9760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BA710 NtOpenProcessToken,17_2_045BA710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9730 NtQueryVirtualMemory,17_2_045B9730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B97A0 NtUnmapViewOfSection,17_2_045B97A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BB040 NtSuspendThread,17_2_045BB040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9820 NtEnumerateKey,17_2_045B9820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B98F0 NtReadVirtualMemory,17_2_045B98F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B98A0 NtWriteVirtualMemory,17_2_045B98A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9950 NtQueueApcThread,17_2_045B9950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B99D0 NtCreateProcessEx,17_2_045B99D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A10 NtQuerySection,17_2_045B9A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A00 NtProtectVirtualMemory,17_2_045B9A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A20 NtResumeThread,17_2_045B9A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A80 NtOpenDirectoryObject,17_2_045B9A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9B00 NtSetValueKey,17_2_045B9B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BA3B0 NtGetContextThread,17_2_045BA3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD82E0 NtClose,17_2_02CD82E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD8260 NtReadFile,17_2_02CD8260
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD8390 NtAllocateVirtualMemory,17_2_02CD8390
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD81B0 NtCreateFile,17_2_02CD81B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD82E2 NtClose,17_2_02CD82E2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD825A NtReadFile,17_2_02CD825A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD81AA NtCreateFile,17_2_02CD81AA
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0662237C CreateProcessAsUserW,1_2_0662237C
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_06621B181_2_06621B18
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_066200401_2_06620040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_066148A21_2_066148A2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_066163AB1_2_066163AB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_027280C01_2_027280C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272C5C01_2_0272C5C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272EE901_2_0272EE90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272BB981_2_0272BB98
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272BDF01_2_0272BDF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C06D11_2_0041C06D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0040103011_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C28411_2_0041C284
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041CB0D11_2_0041CB0D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041CB1011_2_0041CB10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00408C5011_2_00408C50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041B57311_2_0041B573
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00402D9011_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C78111_2_0041C781
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00402FB011_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00CD205011_2_00CD2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017D412011_2_017D4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017BF90011_2_017BF900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018820A811_2_018820A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017DA83011_2_017DA830
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018828EC11_2_018828EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187100211_2_01871002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0188E82411_2_0188E824
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017E20A011_2_017E20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017CB09011_2_017CB090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017DAB4011_2_017DAB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187DBD211_2_0187DBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018703DA11_2_018703DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01882B2811_2_01882B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017EEBB011_2_017EEBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018822AE11_2_018822AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0186FA2B11_2_0186FA2B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018825DD11_2_018825DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017B0D2011_2_017B0D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01882D0711_2_01882D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017CD5E011_2_017CD5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01881D5511_2_01881D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017E258111_2_017E2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017C841F11_2_017C841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187D46611_2_0187D466
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0188DFCE11_2_0188DFCE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01881FF111_2_01881FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017D6E3011_2_017D6E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01882EF711_2_01882EF7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187D61611_2_0187D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463D46617_2_0463D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0458841F17_2_0458841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04641D5517_2_04641D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04642D0717_2_04642D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04570D2017_2_04570D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0458D5E017_2_0458D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046425DD17_2_046425DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045A258117_2_045A2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04596E3017_2_04596E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463D61617_2_0463D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04642EF717_2_04642EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04641FF117_2_04641FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0464DFCE17_2_0464DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0464E82417_2_0464E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463100217_2_04631002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0459A83017_2_0459A830
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046428EC17_2_046428EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0458B09017_2_0458B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046420A817_2_046420A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045A20A017_2_045A20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0457F90017_2_0457F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0459412017_2_04594120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045999BF17_2_045999BF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0462FA2B17_2_0462FA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046422AE17_2_046422AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0459AB4017_2_0459AB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04642B2817_2_04642B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463DBD217_2_0463DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046303DA17_2_046303DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045AEBB017_2_045AEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDCB0D17_2_02CDCB0D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDCB1017_2_02CDCB10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDC78117_2_02CDC781
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC2FB017_2_02CC2FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC8C5017_2_02CC8C50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC2D9017_2_02CC2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDB57317_2_02CDB573
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 017BB150 appears 54 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0457B150 appears 69 times
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731064405.00000000003A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731731070.0000000002801000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.737040753.0000000003758000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740459563.00000000062B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeBinary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@3/2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeVirustotal: Detection: 33%
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeReversingLabs: Detection: 36%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
          Source: Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp