Loading ...

Play interactive tourEdit tour

Analysis Report 5SXTKXCnqS

Overview

General Information

Sample Name:5SXTKXCnqS (renamed file extension from none to exe)
Analysis ID:432719
MD5:cb4947e5c78ada624d22c28ee9079871
SHA1:eb2c2d329e9be0b3a74582a4fd9c257bc795a690
SHA256:02230fb80db0fe0055730a0af8b3a0c66a578b2c315206053b80bae250c5561d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5SXTKXCnqS.exe (PID: 5828 cmdline: 'C:\Users\user\Desktop\5SXTKXCnqS.exe' MD5: CB4947E5C78ADA624D22C28EE9079871)
    • 5SXTKXCnqS.exe (PID: 4328 cmdline: 'C:\Users\user\Desktop\5SXTKXCnqS.exe' MD5: CB4947E5C78ADA624D22C28EE9079871)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 4940 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 1384 cmdline: /c del 'C:\Users\user\Desktop\5SXTKXCnqS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.updatesz.com/hlx/"], "decoy": ["firo.store", "unmeasured-grace.com", "burger-ff.com", "alcargomoversllc.com", "brianratkevich.com", "semugaralara01.net", "ngalvision.com", "texaslearningpods.com", "ontarioboatcharters.com", "kleinrugcleaning.com", "michaelvancebromfield.com", "habitameya.com", "elyoma.com", "worldtvepisode.com", "masatakahorie.com", "jumpinginfo.com", "hfjxhs.com", "bf-swiss.com", "rvingbus.com", "suxfi.com", "schoolcardtrades.com", "motion-airsoft.com", "123netflix.moe", "ic200mdl750.com", "silkensarees.com", "digitalmarketingtraining.xyz", "foypay.com", "eudoraacantik.com", "healthyandwealthie.com", "print-postcards-fast.com", "alpha-psych.com", "merthyrrock.com", "mss52.com", "cddcsw.com", "istanbulbisiklettamircisi.com", "ertugrulbey.net", "katarina-yoga.com", "findholmesinlaurelmaryland.com", "sabciu.net", "shipthuocnhanh24h.com", "veganonthegreens.com", "ailil-alvarez.com", "thefashionszone.com", "geminicomputerofficial.com", "terraveda.net", "ruhstorfer-gruppe.info", "suderstr.com", "yunjichem.com", "priyadubai.com", "sofierceboutique.com", "nealcurtiss.com", "mcgdinner.com", "steplife.info", "pwagih.com", "cpzgzcw.com", "wierzewzwierze.com", "asbestosconsultancyservices.com", "centerstageacademyaz.com", "skip1-dndasasd.com", "successteamrealty.com", "mijninboxe.com", "berkeleyrehab.com", "tfjxw.com", "mcluxuryrentals.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.5SXTKXCnqS.exe.2170000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.5SXTKXCnqS.exe.2170000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.5SXTKXCnqS.exe.2170000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        0.2.5SXTKXCnqS.exe.2170000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.5SXTKXCnqS.exe.2170000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 4940

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.updatesz.com/hlx/"], "decoy": ["firo.store", "unmeasured-grace.com", "burger-ff.com", "alcargomoversllc.com", "brianratkevich.com", "semugaralara01.net", "ngalvision.com", "texaslearningpods.com", "ontarioboatcharters.com", "kleinrugcleaning.com", "michaelvancebromfield.com", "habitameya.com", "elyoma.com", "worldtvepisode.com", "masatakahorie.com", "jumpinginfo.com", "hfjxhs.com", "bf-swiss.com", "rvingbus.com", "suxfi.com", "schoolcardtrades.com", "motion-airsoft.com", "123netflix.moe", "ic200mdl750.com", "silkensarees.com", "digitalmarketingtraining.xyz", "foypay.com", "eudoraacantik.com", "healthyandwealthie.com", "print-postcards-fast.com", "alpha-psych.com", "merthyrrock.com", "mss52.com", "cddcsw.com", "istanbulbisiklettamircisi.com", "ertugrulbey.net", "katarina-yoga.com", "findholmesinlaurelmaryland.com", "sabciu.net", "shipthuocnhanh24h.com", "veganonthegreens.com", "ailil-alvarez.com", "thefashionszone.com", "geminicomputerofficial.com", "terraveda.net", "ruhstorfer-gruppe.info", "suderstr.com", "yunjichem.com", "priyadubai.com", "sofierceboutique.com", "nealcurtiss.com", "mcgdinner.com", "steplife.info", "pwagih.com", "cpzgzcw.com", "wierzewzwierze.com", "asbestosconsultancyservices.com", "centerstageacademyaz.com", "skip1-dndasasd.com", "successteamrealty.com", "mijninboxe.com", "berkeleyrehab.com", "tfjxw.com", "mcluxuryrentals.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 5SXTKXCnqS.exeVirustotal: Detection: 30%Perma Link
          Source: 5SXTKXCnqS.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 5SXTKXCnqS.exeJoe Sandbox ML: detected
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.5SXTKXCnqS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.msdt.exe.b552b0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.5SXTKXCnqS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.msdt.exe.509f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5SXTKXCnqS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.288397745.0000000006FE0000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 5SXTKXCnqS.exe, 00000000.00000003.236649402.0000000009AA0000.00000004.00000001.sdmp, 5SXTKXCnqS.exe, 00000002.00000003.237181560.0000000000660000.00000004.00000001.sdmp, msdt.exe, 0000000E.00000002.500150489.0000000004C8F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 5SXTKXCnqS.exe, msdt.exe
          Source: Binary string: msdt.pdb source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.288397745.0000000006FE0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile opened: C:\Users\user\AppData\Local\Temp\wkxohdeyqvvyrJump to behavior
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile opened: C:\Users\user\AppData\Local\Temp\02vqprgl0atfidcJump to behavior
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile opened: C:\Users\user\AppData\Local\Temp\nsaC26D.tmpJump to behavior
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile opened: C:\Users\user\Desktop\5SXTKXCnqS.exeJump to behavior
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 4x nop then pop edi2_2_00417D6E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi14_2_00737D6E

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.updatesz.com/hlx/
          Source: global trafficHTTP traffic detected: GET /hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr HTTP/1.1Host: www.centerstageacademyaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr HTTP/1.1Host: www.updatesz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
          Source: global trafficHTTP traffic detected: GET /hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDqbiG+v&i0D=adKPlr HTTP/1.1Host: www.centerstageacademyaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hlx/?wVSH=1q0nvnuESuCKkKkbLudmlC1kRF8eq+dUTLEJwYL638OOvnGjESXIW61pqUjqlD08HWSv&i0D=adKPlr HTTP/1.1Host: www.updatesz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.centerstageacademyaz.com
          Source: msdt.exe, 0000000E.00000002.501612375.000000000558F000.00000004.00000001.sdmpString found in binary or memory: http://centerstage.academy/hlx/?wVSH=B58lx/xaXAfqMrblDg0CPLD4IpEHx1MuvfXEetjmXTR5BJPCAvCKa/uMIPwGmDq
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 5SXTKXCnqS.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 5SXTKXCnqS.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.265363781.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042
          Source: 5SXTKXCnqS.exe, 00000000.00000002.240155018.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419D50 NtCreateFile,2_2_00419D50
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419E00 NtReadFile,2_2_00419E00
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419E80 NtClose,2_2_00419E80
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419F30 NtAllocateVirtualMemory,2_2_00419F30
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419D4C NtCreateFile,2_2_00419D4C
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419DFD NtReadFile,2_2_00419DFD
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419E7A NtClose,2_2_00419E7A
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00419F2B NtAllocateVirtualMemory,2_2_00419F2B
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_009F98F0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9840 NtDelayExecution,LdrInitializeThunk,2_2_009F9840
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_009F9860
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F99A0 NtCreateSection,LdrInitializeThunk,2_2_009F99A0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_009F9910
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_009F9A00
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9A20 NtResumeThread,LdrInitializeThunk,2_2_009F9A20
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9A50 NtCreateFile,LdrInitializeThunk,2_2_009F9A50
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F95D0 NtClose,LdrInitializeThunk,2_2_009F95D0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9540 NtReadFile,LdrInitializeThunk,2_2_009F9540
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_009F96E0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_009F9660
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9780 NtMapViewOfSection,LdrInitializeThunk,2_2_009F9780
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_009F97A0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9710 NtQueryInformationToken,LdrInitializeThunk,2_2_009F9710
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F98A0 NtWriteVirtualMemory,2_2_009F98A0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9820 NtEnumerateKey,2_2_009F9820
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009FB040 NtSuspendThread,2_2_009FB040
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F99D0 NtCreateProcessEx,2_2_009F99D0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9950 NtQueueApcThread,2_2_009F9950
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9A80 NtOpenDirectoryObject,2_2_009F9A80
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9A10 NtQuerySection,2_2_009F9A10
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009FA3B0 NtGetContextThread,2_2_009FA3B0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9B00 NtSetValueKey,2_2_009F9B00
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F95F0 NtQueryInformationFile,2_2_009F95F0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009FAD30 NtSetContextThread,2_2_009FAD30
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9520 NtWaitForSingleObject,2_2_009F9520
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9560 NtWriteFile,2_2_009F9560
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F96D0 NtCreateKey,2_2_009F96D0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9610 NtEnumerateValueKey,2_2_009F9610
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9650 NtQueryValueKey,2_2_009F9650
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009F9670 NtQueryInformationProcess,2_2_009F9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04BD9860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9840 NtDelayExecution,LdrInitializeThunk,14_2_04BD9840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD99A0 NtCreateSection,LdrInitializeThunk,14_2_04BD99A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD95D0 NtClose,LdrInitializeThunk,14_2_04BD95D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04BD9910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9540 NtReadFile,LdrInitializeThunk,14_2_04BD9540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04BD96E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD96D0 NtCreateKey,LdrInitializeThunk,14_2_04BD96D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04BD9660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9650 NtQueryValueKey,LdrInitializeThunk,14_2_04BD9650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9A50 NtCreateFile,LdrInitializeThunk,14_2_04BD9A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9780 NtMapViewOfSection,LdrInitializeThunk,14_2_04BD9780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9FE0 NtCreateMutant,LdrInitializeThunk,14_2_04BD9FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9710 NtQueryInformationToken,LdrInitializeThunk,14_2_04BD9710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD98A0 NtWriteVirtualMemory,14_2_04BD98A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD98F0 NtReadVirtualMemory,14_2_04BD98F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9820 NtEnumerateKey,14_2_04BD9820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BDB040 NtSuspendThread,14_2_04BDB040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD95F0 NtQueryInformationFile,14_2_04BD95F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD99D0 NtCreateProcessEx,14_2_04BD99D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BDAD30 NtSetContextThread,14_2_04BDAD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9520 NtWaitForSingleObject,14_2_04BD9520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9560 NtWriteFile,14_2_04BD9560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9950 NtQueueApcThread,14_2_04BD9950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9A80 NtOpenDirectoryObject,14_2_04BD9A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9A20 NtResumeThread,14_2_04BD9A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9610 NtEnumerateValueKey,14_2_04BD9610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9A10 NtQuerySection,14_2_04BD9A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9A00 NtProtectVirtualMemory,14_2_04BD9A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9670 NtQueryInformationProcess,14_2_04BD9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BDA3B0 NtGetContextThread,14_2_04BDA3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD97A0 NtUnmapViewOfSection,14_2_04BD97A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9730 NtQueryVirtualMemory,14_2_04BD9730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BDA710 NtOpenProcessToken,14_2_04BDA710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9B00 NtSetValueKey,14_2_04BD9B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9770 NtSetInformationFile,14_2_04BD9770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BDA770 NtOpenThread,14_2_04BDA770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BD9760 NtOpenProcess,14_2_04BD9760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739D50 NtCreateFile,14_2_00739D50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739E00 NtReadFile,14_2_00739E00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739E80 NtClose,14_2_00739E80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739F30 NtAllocateVirtualMemory,14_2_00739F30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739D4C NtCreateFile,14_2_00739D4C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739DFD NtReadFile,14_2_00739DFD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739E7A NtClose,14_2_00739E7A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00739F2B NtAllocateVirtualMemory,14_2_00739F2B
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_73CA1A980_2_73CA1A98
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_0041D82F2_2_0041D82F
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_0041D1F92_2_0041D1F9
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_0041D4422_2_0041D442
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_0041DDD32_2_0041DDD3
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00409E2B2_2_00409E2B
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00409E302_2_00409E30
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_0041DFE72_2_0041DFE7
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A820A82_2_00A820A8
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009CB0902_2_009CB090
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009E20A02_2_009E20A0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A710022_2_00A71002
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009BF9002_2_009BF900
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009D41202_2_009D4120
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A822AE2_2_00A822AE
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009EEBB02_2_009EEBB0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A7DBD22_2_00A7DBD2
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A82B282_2_00A82B28
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009C841F2_2_009C841F
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009E25812_2_009E2581
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009CD5E02_2_009CD5E0
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A82D072_2_00A82D07
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009B0D202_2_009B0D20
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A81D552_2_00A81D55
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A82EF72_2_00A82EF7
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_009D6E302_2_009D6E30
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 2_2_00A81FF12_2_00A81FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BAB09014_2_04BAB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BA841F14_2_04BA841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04C5100214_2_04C51002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BC258114_2_04BC2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BAD5E014_2_04BAD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04C61D5514_2_04C61D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04B90D2014_2_04B90D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BB412014_2_04BB4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04B9F90014_2_04B9F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BB6E3014_2_04BB6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_04BCEBB014_2_04BCEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0073D1F914_2_0073D1F9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00722D9014_2_00722D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00722D8714_2_00722D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00729E3014_2_00729E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00729E2B14_2_00729E2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_0073DFE714_2_0073DFE7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 14_2_00722FB014_2_00722FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04B9B150 appears 32 times
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: String function: 009BB150 appears 35 times
          Source: 5SXTKXCnqS.exe, 00000000.00000003.236258126.0000000009BBF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5SXTKXCnqS.exe
          Source: 5SXTKXCnqS.exe, 00000002.00000002.315714674.0000000002A80000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs 5SXTKXCnqS.exe
          Source: 5SXTKXCnqS.exe, 00000002.00000002.315316837.0000000000C3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5SXTKXCnqS.exe
          Source: 5SXTKXCnqS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.314505627.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.496732172.0000000000720000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.237002642.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.499467789.00000000047C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.314179672.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.313248208.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.499102168.0000000004680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240364615.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5SXTKXCnqS.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.5SXTKXCnqS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.5SXTKXCnqS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@2/2
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
          Source: C:\Users\user\Desktop\5SXTKXCnqS.exeFile created: C:\Users\user\AppData\Local\Temp\nsaC26C.tmpJump to behavior
          Source: 5SXTKXCnqS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ