Loading ...

Play interactive tourEdit tour

Analysis Report GiG35Rwmz6

Overview

General Information

Sample Name:GiG35Rwmz6 (renamed file extension from none to exe)
Analysis ID:432733
MD5:b0901d0a6b90e6b371ba80e2c31ade52
SHA1:2f175d971e4d6f4938083a78de9be10eb6ba0e05
SHA256:08da4e7de40f2eec9cd1670e3db354d49d3101fd9ace7aaa5f99b235d2ce46ff
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • GiG35Rwmz6.exe (PID: 6564 cmdline: 'C:\Users\user\Desktop\GiG35Rwmz6.exe' MD5: B0901D0A6B90E6B371BA80E2C31ADE52)
    • GiG35Rwmz6.exe (PID: 6784 cmdline: C:\Users\user\Desktop\GiG35Rwmz6.exe MD5: B0901D0A6B90E6B371BA80E2C31ADE52)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 6044 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 4564 cmdline: /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.studiooculto.com/n8ud/"], "decoy": ["certification-plus.com", "linkedoutbook.com", "bethesdalashes.com", "blazingthenet.com", "lohmanphotogallery.com", "solidlinks.info", "alvingohproperty.com", "hometheaterplanning.com", "beoke.com", "ddthi.com", "floridamotorcyclemasons.net", "stither.com", "majorhumanities.com", "palpaynaira.com", "webossgoo.com", "thebrck.com", "crackhook.com", "363dahlia.com", "mybusiness-plus.com", "seatachawaiianbarbecue.com", "uoekiqliea.net", "zyslz.com", "frightvision.online", "gordonenergysolutions.com", "matthewcoyte.com", "hackingnews.info", "royallondonhair.com", "thegioirc.com", "856380588.xyz", "popitara.com", "luisxe.info", "cbdthc.domains", "869bernardilane.com", "airikit.com", "centraldomusmatera.com", "onlinecreditnow.com", "ilamaths.com", "janeharriganhorn.com", "fullapologies.com", "xpfisioterapia.com", "spring-boot.com", "wrighttransportllc.com", "nemahealthcare.com", "taxikuka.com", "promoterss.com", "kirklandtroll.com", "aviationbrothers.com", "fylldagenebergen.com", "vycocover.com", "cookingsecret.net", "intentguild.com", "athenalim.com", "nothingoingapart.info", "neurosene.com", "doctorelizabethwise.com", "lalamasks.cloud", "livemaharashtra24.com", "catrinettealyssandre.com", "wovkreations.com", "piapiadine.com", "uebfaushb.com", "curlupanddyesc.com", "seniorbenefits.support", "didyouswipe.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.GiG35Rwmz6.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.GiG35Rwmz6.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.GiG35Rwmz6.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        4.2.GiG35Rwmz6.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.GiG35Rwmz6.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: GiG35Rwmz6.exeAvira: detected
          Found malware configurationShow sources
          Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.studiooculto.com/n8ud/"], "decoy": ["certification-plus.com", "linkedoutbook.com", "bethesdalashes.com", "blazingthenet.com", "lohmanphotogallery.com", "solidlinks.info", "alvingohproperty.com", "hometheaterplanning.com", "beoke.com", "ddthi.com", "floridamotorcyclemasons.net", "stither.com", "majorhumanities.com", "palpaynaira.com", "webossgoo.com", "thebrck.com", "crackhook.com", "363dahlia.com", "mybusiness-plus.com", "seatachawaiianbarbecue.com", "uoekiqliea.net", "zyslz.com", "frightvision.online", "gordonenergysolutions.com", "matthewcoyte.com", "hackingnews.info", "royallondonhair.com", "thegioirc.com", "856380588.xyz", "popitara.com", "luisxe.info", "cbdthc.domains", "869bernardilane.com", "airikit.com", "centraldomusmatera.com", "onlinecreditnow.com", "ilamaths.com", "janeharriganhorn.com", "fullapologies.com", "xpfisioterapia.com", "spring-boot.com", "wrighttransportllc.com", "nemahealthcare.com", "taxikuka.com", "promoterss.com", "kirklandtroll.com", "aviationbrothers.com", "fylldagenebergen.com", "vycocover.com", "cookingsecret.net", "intentguild.com", "athenalim.com", "nothingoingapart.info", "neurosene.com", "doctorelizabethwise.com", "lalamasks.cloud", "livemaharashtra24.com", "catrinettealyssandre.com", "wovkreations.com", "piapiadine.com", "uebfaushb.com", "curlupanddyesc.com", "seniorbenefits.support", "didyouswipe.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: GiG35Rwmz6.exeVirustotal: Detection: 40%Perma Link
          Source: GiG35Rwmz6.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: GiG35Rwmz6.exeJoe Sandbox ML: detected
          Source: 4.0.GiG35Rwmz6.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.GiG35Rwmz6.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeUnpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack
          Source: GiG35Rwmz6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: GiG35Rwmz6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe, 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe
          Source: Binary string: help.pdbGCTL source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4x nop then pop ebx4_2_00407B0A
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx9_2_02417B0A

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.studiooculto.com/n8ud/
          Source: global trafficHTTP traffic detected: GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1Host: www.intentguild.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1Host: www.didyouswipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: global trafficHTTP traffic detected: GET /n8ud/?vPE=5jrT8R0&hL=WvvELDNeXjXNSBNWuUY8Zfoe6Ppc+GsA8iptXd2KegdndXiZdpjCN7GBAWkC1K0OIvRU HTTP/1.1Host: www.intentguild.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n8ud/?hL=xx0OFN/A1LQZVCJMLzEbxnX8OnCdv1d2voKBm1sodMz7PL+00tIAVi4krCco92VzLf77&vPE=5jrT8R0 HTTP/1.1Host: www.didyouswipe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.intentguild.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 15:55:40 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.680176172.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.700601857.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041A060 NtClose,4_2_0041A060
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041A110 NtAllocateVirtualMemory,4_2_0041A110
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_00419F30 NtCreateFile,4_2_00419F30
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_00419FE0 NtReadFile,4_2_00419FE0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041A05A NtClose,4_2_0041A05A
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041A10A NtAllocateVirtualMemory,4_2_0041A10A
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_02AC96E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC96D0 NtCreateKey,LdrInitializeThunk,9_2_02AC96D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_02AC9660
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9650 NtQueryValueKey,LdrInitializeThunk,9_2_02AC9650
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9A50 NtCreateFile,LdrInitializeThunk,9_2_02AC9A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9780 NtMapViewOfSection,LdrInitializeThunk,9_2_02AC9780
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9FE0 NtCreateMutant,LdrInitializeThunk,9_2_02AC9FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9710 NtQueryInformationToken,LdrInitializeThunk,9_2_02AC9710
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_02AC9860
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9840 NtDelayExecution,LdrInitializeThunk,9_2_02AC9840
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC99A0 NtCreateSection,LdrInitializeThunk,9_2_02AC99A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC95D0 NtClose,LdrInitializeThunk,9_2_02AC95D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_02AC9910
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9540 NtReadFile,LdrInitializeThunk,9_2_02AC9540
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9A80 NtOpenDirectoryObject,9_2_02AC9A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9A20 NtResumeThread,9_2_02AC9A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9A00 NtProtectVirtualMemory,9_2_02AC9A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9610 NtEnumerateValueKey,9_2_02AC9610
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9A10 NtQuerySection,9_2_02AC9A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9670 NtQueryInformationProcess,9_2_02AC9670
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC97A0 NtUnmapViewOfSection,9_2_02AC97A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02ACA3B0 NtGetContextThread,9_2_02ACA3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9730 NtQueryVirtualMemory,9_2_02AC9730
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9B00 NtSetValueKey,9_2_02AC9B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02ACA710 NtOpenProcessToken,9_2_02ACA710
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9760 NtOpenProcess,9_2_02AC9760
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9770 NtSetInformationFile,9_2_02AC9770
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02ACA770 NtOpenThread,9_2_02ACA770
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC98A0 NtWriteVirtualMemory,9_2_02AC98A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC98F0 NtReadVirtualMemory,9_2_02AC98F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9820 NtEnumerateKey,9_2_02AC9820
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02ACB040 NtSuspendThread,9_2_02ACB040
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC95F0 NtQueryInformationFile,9_2_02AC95F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC99D0 NtCreateProcessEx,9_2_02AC99D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9520 NtWaitForSingleObject,9_2_02AC9520
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02ACAD30 NtSetContextThread,9_2_02ACAD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9560 NtWriteFile,9_2_02AC9560
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AC9950 NtQueueApcThread,9_2_02AC9950
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242A060 NtClose,9_2_0242A060
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242A110 NtAllocateVirtualMemory,9_2_0242A110
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02429F30 NtCreateFile,9_2_02429F30
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02429FE0 NtReadFile,9_2_02429FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242A05A NtClose,9_2_0242A05A
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242A10A NtAllocateVirtualMemory,9_2_0242A10A
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C821600_2_00C82160
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C817900_2_00C81790
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C8E7B80_2_00C8E7B8
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C857700_2_00C85770
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C80FF00_2_00C80FF0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C850F80_2_00C850F8
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C821510_2_00C82151
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C851080_2_00C85108
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C853010_2_00C85301
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C853100_2_00C85310
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C804800_2_00C80480
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C804790_2_00C80479
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C855480_2_00C85548
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C855580_2_00C85558
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C817810_2_00C81781
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C857600_2_00C85760
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C84A690_2_00C84A69
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C84A780_2_00C84A78
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C84D690_2_00C84D69
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C83E800_2_00C83E80
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C83E710_2_00C83E71
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C80F480_2_00C80F48
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F309A00_2_09F309A0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F3D2880_2_09F3D288
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F39E140_2_09F39E14
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F309900_2_09F30990
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F398500_2_09F39850
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F358580_2_09F35858
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F398400_2_09F39840
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F358490_2_09F35849
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F300120_2_09F30012
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F373C00_2_09F373C0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F373BD0_2_09F373BD
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F35BA30_2_09F35BA3
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F34BA20_2_09F34BA2
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F303980_2_09F30398
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F303890_2_09F30389
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F353580_2_09F35358
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F353480_2_09F35348
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F35AF70_2_09F35AF7
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F35AF80_2_09F35AF8
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F34AC00_2_09F34AC0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F34ABF0_2_09F34ABF
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F305800_2_09F30580
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F375840_2_09F37584
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F305710_2_09F30571
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F36D610_2_09F36D61
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F36D680_2_09F36D68
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F314970_2_09F31497
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F314980_2_09F31498
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F39C570_2_09F39C57
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F39C580_2_09F39C58
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F35C310_2_09F35C31
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F307C00_2_09F307C0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F307B00_2_09F307B0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F337200_2_09F33720
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F39E830_2_09F39E83
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F39E650_2_09F39E65
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041E1CF4_2_0041E1CF
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041D23B4_2_0041D23B
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_00409E404_2_00409E40
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041D6CF4_2_0041D6CF
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041BFB64_2_0041BFB6
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AA6E309_2_02AA6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02ABEBB09_2_02ABEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02A9B0909_2_02A9B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02B410029_2_02B41002
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02A9841F9_2_02A9841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AB25819_2_02AB2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02A9D5E09_2_02A9D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02A80D209_2_02A80D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02AA41209_2_02AA4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02A8F9009_2_02A8F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02B51D559_2_02B51D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242D23B9_2_0242D23B
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242E1CF9_2_0242E1CF
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02419E409_2_02419E40
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02412FB09_2_02412FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_0242BFB69_2_0242BFB6
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02412D879_2_02412D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 9_2_02412D909_2_02412D90
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02A8B150 appears 32 times
          Source: GiG35Rwmz6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: GiG35Rwmz6.exeBinary or memory string: OriginalFilename vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exe, 00000000.00000002.679951755.0000000007EB0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exe, 00000000.00000000.661313043.00000000004A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exe, 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exe, 00000004.00000002.729162060.0000000000B56000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exe, 00000004.00000000.671606108.0000000000512000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exeBinary or memory string: OriginalFilenameIDispatch.exeH vs GiG35Rwmz6.exe
          Source: GiG35Rwmz6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.925821980.0000000002410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.729070321.0000000000B00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.728648868.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.729033636.0000000000AD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.676742229.00000000040C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.925566371.00000000000D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.671897283.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.GiG35Rwmz6.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.GiG35Rwmz6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.GiG35Rwmz6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.GiG35Rwmz6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.GiG35Rwmz6.exe.40c9950.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: GiG35Rwmz6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/2
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GiG35Rwmz6.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
          Source: GiG35Rwmz6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: GiG35Rwmz6.exe, 00000000.00000002.676146629.00000000028C1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: GiG35Rwmz6.exeVirustotal: Detection: 40%
          Source: GiG35Rwmz6.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\GiG35Rwmz6.exe 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeProcess created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeProcess created: C:\Users\user\Desktop\GiG35Rwmz6.exe C:\Users\user\Desktop\GiG35Rwmz6.exeJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\GiG35Rwmz6.exe'Jump to behavior
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: GiG35Rwmz6.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: GiG35Rwmz6.exeStatic file information: File size 1116672 > 1048576
          Source: GiG35Rwmz6.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe, 00000009.00000002.926396887.0000000002B7F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729465784.000000000108F000.00000040.00000001.sdmp, help.exe
          Source: Binary string: help.pdbGCTL source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: GiG35Rwmz6.exe, 00000004.00000002.729233616.0000000000F60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.692755022.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeUnpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeUnpacked PE file: 0.2.GiG35Rwmz6.exe.3c0000.0.unpack
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_003C5097 push ss; retf 0_2_003C50A0
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_003C4AEA push ebx; retf 0_2_003C4B11
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C8069A push FFFFFFBAh; retf 0_2_00C8069C
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C82DCF push ecx; retf 0_2_00C82DD1
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_00C82DD9 push ecx; retf 0_2_00C82DDB
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 0_2_09F3523A pushfd ; ret 0_2_09F35245
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041E041 pushfd ; iretd 4_2_0041E051
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_004170CB push edi; ret 4_2_004170CC
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041D0D2 push eax; ret 4_2_0041D0D8
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041D0DB push eax; ret 4_2_0041D142
          Source: C:\Users\user\Desktop\GiG35Rwmz6.exeCode function: 4_2_0041D085 push eax; ret <