Loading ...

Play interactive tourEdit tour

Analysis Report lTAPQJikGw

Overview

General Information

Sample Name:lTAPQJikGw (renamed file extension from none to exe)
Analysis ID:432746
MD5:16657fa097cd334973a5489eeff8bafe
SHA1:b6db5e9cc112155b7285f0a415cf4889ff1bf7ef
SHA256:2589143d02f6aef252b5b704f6b98723ae131d3279bcf36d57ee26318bc0741f
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lTAPQJikGw.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\lTAPQJikGw.exe' MD5: 16657FA097CD334973A5489EEFF8BAFE)
    • lTAPQJikGw.exe (PID: 6192 cmdline: C:\Users\user\Desktop\lTAPQJikGw.exe MD5: 16657FA097CD334973A5489EEFF8BAFE)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • control.exe (PID: 6848 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
        • cmd.exe (PID: 6952 cmdline: /c del 'C:\Users\user\Desktop\lTAPQJikGw.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.lTAPQJikGw.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.lTAPQJikGw.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.lTAPQJikGw.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        2.0.lTAPQJikGw.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.lTAPQJikGw.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.cmannouncements.com/p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Source: http://www.balloon-artists.com/p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Source: http://www.boogerstv.com/p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Source: http://www.dreamcashbuyers.com/p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHSAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: lTAPQJikGw.exeVirustotal: Detection: 44%Perma Link
          Source: lTAPQJikGw.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: lTAPQJikGw.exeJoe Sandbox ML: detected
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: lTAPQJikGw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: lTAPQJikGw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.697776172.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\xxwqcHkmba\src\obj\Debug\CryptoConfig.pdb source: lTAPQJikGw.exe
          Source: Binary string: control.pdb source: lTAPQJikGw.exe, 00000002.00000002.730162331.0000000001970000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: lTAPQJikGw.exe, 00000002.00000002.729531949.00000000015CF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.917101037.0000000004B60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: lTAPQJikGw.exe, control.exe
          Source: Binary string: control.pdbUGP source: lTAPQJikGw.exe, 00000002.00000002.730162331.0000000001970000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.697776172.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01870448
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01870751
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01870760
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then pop edi2_2_00416282
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 4x nop then pop ebx2_2_00406A94
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx7_2_00936A95
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi7_2_00946282

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 74.220.199.8:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 74.220.199.8:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 74.220.199.8:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 104.21.15.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 104.21.15.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 104.21.15.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHS HTTP/1.1Host: www.balloon-artists.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS HTTP/1.1Host: www.leonardocarrillo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS HTTP/1.1Host: www.dreamcashbuyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHS HTTP/1.1Host: www.swayam-moj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHS HTTP/1.1Host: www.hfjxhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHS HTTP/1.1Host: www.defenestration.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHS HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&Pr980v=G2MtWNVHS HTTP/1.1Host: www.totally-seo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 147.255.162.204 147.255.162.204
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=/DMwn9vTy70wY8Gt9syYwdBt6sFcRXVvValBDdDX8KtazsYeLKsYeQz2+d78EfQIVSnp&Pr980v=G2MtWNVHS HTTP/1.1Host: www.balloon-artists.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=4oufm6g5t6Bqg3y0mDBWoA8I6Q2bNaX51tGc9mj7mZf0wZ/j7IpC3Y+it5NkyKMHKzCR&Pr980v=G2MtWNVHS HTTP/1.1Host: www.adultpeace.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=wzEdtbrCY4VKdG4P/h093gtD2EzP1yO8zPZJPXBkhd23ZEiSfiVlmlbiUjAoERCVF5eV&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cmannouncements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=Z8FkwwkqwMcbR63JqM/eMJCTIQtJD+6S4GLVkEvBdcKRRdmUAPmyd56itTHHstyDZ3vx&Pr980v=G2MtWNVHS HTTP/1.1Host: www.leonardocarrillo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=H0m9fF/5FM7UqIICC4653EpAABAppk+gPAvqYefbAICNl1a1FFJvvx6E9HTJL6Hcfv3l&Pr980v=G2MtWNVHS HTTP/1.1Host: www.dreamcashbuyers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIp2mnBj9Pa&Pr980v=G2MtWNVHS HTTP/1.1Host: www.swayam-moj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=DTtQlm+bkwamRHt6VrobrkMYYvpq+NlfspH3ROyN3o99G08d4+CoiJMc5PUrO1w4I+TP&Pr980v=G2MtWNVHS HTTP/1.1Host: www.hfjxhs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=lrOqxb+RJFhwpubsYZ1tkMjkgx31NOkXgmE0j6vPa760pj23uu3lC+ndsaG2+azAf30S&Pr980v=G2MtWNVHS HTTP/1.1Host: www.defenestration.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&Pr980v=G2MtWNVHS HTTP/1.1Host: www.boogerstv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=TySV6YYzJGXnavbEwOCoDLKT5SC+Z4HfI/S6WoKTLKp4rrhaLWxPw3pQ7MooJpxvMOcw&Pr980v=G2MtWNVHS HTTP/1.1Host: www.totally-seo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&Pr980v=G2MtWNVHS HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.balloon-artists.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 16:08:23 GMTServer: Apache/2.4.48 (cPanel) OpenSSL/1.1.1k mod_bwlimited/1.4Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: lTAPQJikGw.exe, 00000000.00000002.657793972.0000000003341000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000000.688234599.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.678260797.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: control.exe, 00000007.00000002.917583197.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://www.cleanxcare.com/p2io/?CFQHg=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004181B0 NtCreateFile,2_2_004181B0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00418260 NtReadFile,2_2_00418260
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004182E0 NtClose,2_2_004182E0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,2_2_00418390
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004182AC NtReadFile,2_2_004182AC
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041838B NtAllocateVirtualMemory,2_2_0041838B
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01519910
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015199A0 NtCreateSection,LdrInitializeThunk,2_2_015199A0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519840 NtDelayExecution,LdrInitializeThunk,2_2_01519840
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01519860
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_015198F0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A50 NtCreateFile,LdrInitializeThunk,2_2_01519A50
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01519A00
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A20 NtResumeThread,LdrInitializeThunk,2_2_01519A20
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519540 NtReadFile,LdrInitializeThunk,2_2_01519540
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015195D0 NtClose,LdrInitializeThunk,2_2_015195D0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519710 NtQueryInformationToken,LdrInitializeThunk,2_2_01519710
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519FE0 NtCreateMutant,LdrInitializeThunk,2_2_01519FE0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519780 NtMapViewOfSection,LdrInitializeThunk,2_2_01519780
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_015197A0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01519660
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_015196E0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519950 NtQueueApcThread,2_2_01519950
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015199D0 NtCreateProcessEx,2_2_015199D0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151B040 NtSuspendThread,2_2_0151B040
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519820 NtEnumerateKey,2_2_01519820
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015198A0 NtWriteVirtualMemory,2_2_015198A0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519B00 NtSetValueKey,2_2_01519B00
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151A3B0 NtGetContextThread,2_2_0151A3B0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A10 NtQuerySection,2_2_01519A10
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519A80 NtOpenDirectoryObject,2_2_01519A80
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519560 NtWriteFile,2_2_01519560
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151AD30 NtSetContextThread,2_2_0151AD30
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519520 NtWaitForSingleObject,2_2_01519520
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015195F0 NtQueryInformationFile,2_2_015195F0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151A770 NtOpenThread,2_2_0151A770
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519770 NtSetInformationFile,2_2_01519770
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519760 NtOpenProcess,2_2_01519760
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0151A710 NtOpenProcessToken,2_2_0151A710
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519730 NtQueryVirtualMemory,2_2_01519730
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519650 NtQueryValueKey,2_2_01519650
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519670 NtQueryInformationProcess,2_2_01519670
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_01519610 NtEnumerateValueKey,2_2_01519610
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015196D0 NtCreateKey,2_2_015196D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04BC9860
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9840 NtDelayExecution,LdrInitializeThunk,7_2_04BC9840
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC99A0 NtCreateSection,LdrInitializeThunk,7_2_04BC99A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC95D0 NtClose,LdrInitializeThunk,7_2_04BC95D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04BC9910
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9540 NtReadFile,LdrInitializeThunk,7_2_04BC9540
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04BC96E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC96D0 NtCreateKey,LdrInitializeThunk,7_2_04BC96D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04BC9660
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A50 NtCreateFile,LdrInitializeThunk,7_2_04BC9A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9650 NtQueryValueKey,LdrInitializeThunk,7_2_04BC9650
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9780 NtMapViewOfSection,LdrInitializeThunk,7_2_04BC9780
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9FE0 NtCreateMutant,LdrInitializeThunk,7_2_04BC9FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9710 NtQueryInformationToken,LdrInitializeThunk,7_2_04BC9710
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC98A0 NtWriteVirtualMemory,7_2_04BC98A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC98F0 NtReadVirtualMemory,7_2_04BC98F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9820 NtEnumerateKey,7_2_04BC9820
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCB040 NtSuspendThread,7_2_04BCB040
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC95F0 NtQueryInformationFile,7_2_04BC95F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC99D0 NtCreateProcessEx,7_2_04BC99D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCAD30 NtSetContextThread,7_2_04BCAD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9520 NtWaitForSingleObject,7_2_04BC9520
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9560 NtWriteFile,7_2_04BC9560
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9950 NtQueueApcThread,7_2_04BC9950
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A80 NtOpenDirectoryObject,7_2_04BC9A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A20 NtResumeThread,7_2_04BC9A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9610 NtEnumerateValueKey,7_2_04BC9610
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A10 NtQuerySection,7_2_04BC9A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9A00 NtProtectVirtualMemory,7_2_04BC9A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9670 NtQueryInformationProcess,7_2_04BC9670
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCA3B0 NtGetContextThread,7_2_04BCA3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC97A0 NtUnmapViewOfSection,7_2_04BC97A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9730 NtQueryVirtualMemory,7_2_04BC9730
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCA710 NtOpenProcessToken,7_2_04BCA710
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9B00 NtSetValueKey,7_2_04BC9B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9770 NtSetInformationFile,7_2_04BC9770
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BCA770 NtOpenThread,7_2_04BCA770
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BC9760 NtOpenProcess,7_2_04BC9760
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_009481B0 NtCreateFile,7_2_009481B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_009482E0 NtClose,7_2_009482E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00948260 NtReadFile,7_2_00948260
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00948390 NtAllocateVirtualMemory,7_2_00948390
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_009482AC NtReadFile,7_2_009482AC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094838B NtAllocateVirtualMemory,7_2_0094838B
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_00ECB7D50_2_00ECB7D5
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01870D800_2_01870D80
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B3B2640_2_01B3B264
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B3DF500_2_01B3DF50
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B3C2B00_2_01B3C2B0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_01B399900_2_01B39990
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_0581D0C00_2_0581D0C0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_058121600_2_05812160
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_058121700_2_05812170
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_0581D0B00_2_0581D0B0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_058123B10_2_058123B1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_058123C00_2_058123C0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 0_2_00ECC9150_2_00ECC915
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B8B12_2_0041B8B1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B9632_2_0041B963
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00408C4B2_2_00408C4B
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00408C502_2_00408C50
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B4932_2_0041B493
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041B4962_2_0041B496
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041C5392_2_0041C539
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00402D892_2_00402D89
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041CE852_2_0041CE85
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041BF122_2_0041BF12
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0041C7952_2_0041C795
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00A5B7D52_2_00A5B7D5
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014DF9002_2_014DF900
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F41202_2_014F4120
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015910022_2_01591002
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015AE8242_2_015AE824
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A28EC2_2_015A28EC
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014EB0902_2_014EB090
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015020A02_2_015020A0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A20A82_2_015A20A8
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014FAB402_2_014FAB40
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A2B282_2_015A2B28
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015903DA2_2_015903DA
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159DBD22_2_0159DBD2
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0150EBB02_2_0150EBB0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0158FA2B2_2_0158FA2B
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A22AE2_2_015A22AE
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A1D552_2_015A1D55
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A2D072_2_015A2D07
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014D0D202_2_014D0D20
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A25DD2_2_015A25DD
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014ED5E02_2_014ED5E0
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015025812_2_01502581
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159D4662_2_0159D466
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014E841F2_2_014E841F
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015ADFCE2_2_015ADFCE
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A1FF12_2_015A1FF1
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_0159D6162_2_0159D616
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_014F6E302_2_014F6E30
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_015A2EF72_2_015A2EF7
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: 2_2_00A5C9152_2_00A5C915
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB20A07_2_04BB20A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9B0907_2_04B9B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C520A87_2_04C520A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9841F7_2_04B9841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C410027_2_04C41002
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BB25817_2_04BB2581
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B9D5E07_2_04B9D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C51D557_2_04C51D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B80D207_2_04B80D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA41207_2_04BA4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04B8F9007_2_04B8F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C52D077_2_04C52D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C52EF77_2_04C52EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C522AE7_2_04C522AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BA6E307_2_04BA6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04BBEBB07_2_04BBEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C51FF17_2_04C51FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04C52B287_2_04C52B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B8B17_2_0094B8B1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B9547_2_0094B954
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B4967_2_0094B496
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094B4937_2_0094B493
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00938C507_2_00938C50
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00938C4B7_2_00938C4B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00932D907_2_00932D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00932D897_2_00932D89
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094C5397_2_0094C539
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094CE857_2_0094CE85
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094C7957_2_0094C795
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00932FB07_2_00932FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0094BF127_2_0094BF12
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04B8B150 appears 35 times
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeCode function: String function: 014DB150 appears 48 times
          Source: lTAPQJikGw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: lTAPQJikGw.exeBinary or memory string: OriginalFilename vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000000.00000002.656995303.0000000000EC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCryptoConfig.exeH vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exeBinary or memory string: OriginalFilename vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000002.00000000.656432676.0000000000A52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCryptoConfig.exeH vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000002.00000002.729531949.00000000015CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exe, 00000002.00000002.730181194.0000000001975000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exeBinary or memory string: OriginalFilenameCryptoConfig.exeH vs lTAPQJikGw.exe
          Source: lTAPQJikGw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.730022102.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.727807565.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.658248909.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.916418172.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.656408527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.916260841.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.916447629.0000000000DD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.729969001.00000000017E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.lTAPQJikGw.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.lTAPQJikGw.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.lTAPQJikGw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.lTAPQJikGw.exe.4349930.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.lTAPQJikGw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: lTAPQJikGw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@12/11
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lTAPQJikGw.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6936:120:WilError_01
          Source: lTAPQJikGw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\lTAPQJikGw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: lTAPQJikGw.exe, 00000000.00000002.657825890.0000000003382000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)