Analysis Report SecuriteInfo.com.Variant.Bulz.349164.25568.5993

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Bulz.349164.25568.5993 (renamed file extension from 5993 to exe)
Analysis ID:	433042
MD5:	c66fe399ec0cb598b2167a348c17f6a2
SHA1:	fcc9984283b3596fb575523fb90eb80ce702abe2
SHA256:	57f599e4ae63304de5795909f694122665f7c492df8078f7c5abb084d09baa2d
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rep.place/pba2/"], "decoy": ["marshabenjamin.com", "ipx-tv.com", "1826bet.net", "free-story-civilizatiom.com", "projecteightstudio.com", "blaxies3.com", "knowyourpharmacy.com", "daviddelavariservices.space", "hawaiidreamevents.com", "chickdeal.net", "toko363.com", "flextech.design", "americanprimativeguitar.com", "sourcesfloor.com", "project6212.com", "eggbeaterhub.xyz", "homefittness.com", "eigenguard.com", "bridgessd.com", "wordabbler.com", "432524.com", "blumlifestyle.com", "cn-liangyu.com", "earwaxsux.com", "n2keg.com", "kthetwobrothers.com", "freetoplaymedia.com", "ncunlimited.com", "mckinleygroupcommandforyou.com", "y-beautyplus.com", "plny.xyz", "luckyliars.com", "succozero.com", "zoorack.net", "myloveclubs.com", "cashstreamsonline.club", "23237a2371.info", "live-now20.xyz", "followtea.com", "xn--vhqqb70qmrhwmvnh0e.xyz", "thocudian.net", "trueradiencesolutions.net", "dictionarykick.com", "banbochfm.com", "privacyphonecover.com", "towandastorage.com", "livingthesustainablelife.com", "freeagencevoyage.com", "veritasfertilityandsurgery.com", "thehindufestival.com", "ollipsisparents.com", "caphesachnguyenchat.com", "xn--egegncel-95a.com", "americanpoolnbilliards.com", "wonderfulwanfield.com", "sheya360.com", "solterasalos40.com", "astarswimschools.net", "vcnse.com", "jinshifj.com", "washingtonreversemtgloans.com", "mutieudao.online", "fluatrec.com", "maggionsurvey.com"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Virustotal: Detection: 45%			Perma Link
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Source: Yara match	File source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: IsolatedStorageSecurityOptions.pdbh2 source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source:	Binary string: IsolatedStorageSecurityOptions.pdb source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000002.665726046.0000000001930000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F22250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F23570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F23560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04F22240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then pop esi	3_2_0041582C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then pop ebx	3_2_00406A94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 4x nop then pop edi	3_2_0041566C

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.rep.place/pba2/

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664163112.0000000002EE1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_004181B0 NtCreateFile,	3_2_004181B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00418260 NtReadFile,	3_2_00418260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_004182E0 NtClose,	3_2_004182E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00418390 NtAllocateVirtualMemory,	3_2_00418390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041825B NtReadFile,	3_2_0041825B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041838A NtAllocateVirtualMemory,	3_2_0041838A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01999860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019996E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_019996E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01999660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019999A0 NtCreateSection,	3_2_019999A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019999D0 NtCreateProcessEx,	3_2_019999D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999910 NtAdjustPrivilegesToken,	3_2_01999910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999950 NtQueueApcThread,	3_2_01999950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019998A0 NtWriteVirtualMemory,	3_2_019998A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019998F0 NtReadVirtualMemory,	3_2_019998F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999820 NtEnumerateKey,	3_2_01999820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199B040 NtSuspendThread,	3_2_0199B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999840 NtDelayExecution,	3_2_01999840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199A3B0 NtGetContextThread,	3_2_0199A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999B00 NtSetValueKey,	3_2_01999B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A80 NtOpenDirectoryObject,	3_2_01999A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A10 NtQuerySection,	3_2_01999A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A00 NtProtectVirtualMemory,	3_2_01999A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A20 NtResumeThread,	3_2_01999A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999A50 NtCreateFile,	3_2_01999A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019995D0 NtClose,	3_2_019995D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019995F0 NtQueryInformationFile,	3_2_019995F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199AD30 NtSetContextThread,	3_2_0199AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999520 NtWaitForSingleObject,	3_2_01999520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999540 NtReadFile,	3_2_01999540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999560 NtWriteFile,	3_2_01999560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999780 NtMapViewOfSection,	3_2_01999780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019997A0 NtUnmapViewOfSection,	3_2_019997A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999FE0 NtCreateMutant,	3_2_01999FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999710 NtQueryInformationToken,	3_2_01999710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199A710 NtOpenProcessToken,	3_2_0199A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999730 NtQueryVirtualMemory,	3_2_01999730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0199A770 NtOpenThread,	3_2_0199A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999770 NtSetInformationFile,	3_2_01999770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01999760 NtOpenProcess,	3_2_01999760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019996D0 NtCreateKey,	3_2_019996D0

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F22B08	0_2_04F22B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F20040	0_2_04F20040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F20034	0_2_04F20034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F202AE	0_2_04F202AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F20253	0_2_04F20253
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 0_2_04F2025F	0_2_04F2025F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041C194	3_2_0041C194
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041BA28	3_2_0041BA28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041BB84	3_2_0041BB84
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00408C4B	3_2_00408C4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00408C50	3_2_00408C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00408C0A	3_2_00408C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041C5E4	3_2_0041C5E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00402D8B	3_2_00402D8B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B642	3_2_0041B642
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041BF98	3_2_0041BF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01972990	3_2_01972990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019799BF	3_2_019799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196C1C0	3_2_0196C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0195F900	3_2_0195F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01974120	3_2_01974120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196B090	3_2_0196B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A220A8	3_2_01A220A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019820A0	3_2_019820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A228EC	3_2_01A228EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198701D	3_2_0198701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A2E824	3_2_01A2E824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01956800	3_2_01956800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A11002	3_2_01A11002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A830	3_2_0197A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197EB9A	3_2_0197EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198138B	3_2_0198138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FEB8A	3_2_019FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198EBB0	3_2_0198EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0198ABD8	3_2_0198ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A023E3	3_2_01A023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019A8BE8	3_2_019A8BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1DBD2	3_2_01A1DBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A103DA	3_2_01A103DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A22B28	3_2_01A22B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197A309	3_2_0197A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1231B	3_2_01A1231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019FCB4F	3_2_019FCB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197AB40	3_2_0197AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01973360	3_2_01973360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A232A9	3_2_01A232A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A222AE	3_2_01A222AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14AEF	3_2_01A14AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1E2C5	3_2_01A1E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A0FA2B	3_2_01A0FA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B236	3_2_0197B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01982581	3_2_01982581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A12D82	3_2_01A12D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019865A0	3_2_019865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196D5E0	3_2_0196D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A225DD	3_2_01A225DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A22D07	3_2_01A22D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01950D20	3_2_01950D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01972D50	3_2_01972D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A21D55	3_2_01A21D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A14496	3_2_01A14496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01984CD4	3_2_01984CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0196841F	3_2_0196841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01972430	3_2_01972430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A1D466	3_2_01A1D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0197B477	3_2_0197B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A167E2	3_2_01A167E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A21FF1	3_2_01A21FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A2DFCE	3_2_01A2DFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A01EB6	3_2_01A01EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_01A22EF7	3_2_01A22EF7

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: String function: 019AD08C appears 39 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: String function: 019E5720 appears 74 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: String function: 0195B150 appears 153 times

PE file contains strange resources

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000000.654505180.0000000000B86000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exe< vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.669811504.0000000006080000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000002.667569220.0000000001BDF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000003.00000000.662192891.0000000000F76000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exe< vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Binary or memory string: OriginalFilenameIsolatedStorageSecurityOptions.exe< vs SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.662601270.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.664811462.0000000003EE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.664522711.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Bulz.349164.25568.exe.log

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041607F push ecx; retf	3_2_00416085
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_004152EE pushad ; retf	3_2_004152FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0040AB63 push 00000066h; retf	3_2_0040AB65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B3F2 push eax; ret	3_2_0041B3F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B3FB push eax; ret	3_2_0041B462
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B3A5 push eax; ret	3_2_0041B3F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_0041B45C push eax; ret	3_2_0041B462
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00414D10 pushfd ; ret	3_2_00414D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_00414D22 pushfd ; ret	3_2_00414D21
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Code function: 3_2_019AD0D1 push ecx; ret	3_2_019AD0E4

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.ac0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.2.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.0.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 3.2.SecuriteInfo.com.Variant.Bulz.349164.25568.exe.eb0000.1.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'A6FAOa', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Bulz.349164.25568.exe PID: 6776, type: MEMORY

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe TID: 6780	Thread sleep time: -99739s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe TID: 6828	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Thread delayed: delay time: 99739			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Variant.Bulz.349164.25568.exe, 00000000.00000002.664247776.0000000002F1F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Bulz.349164.25568.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

ID:	433042
Product:	CloudBasic
Start time:	08:06:38
Start date:	11.06.2021
Sample:	SecuriteInfo.com.Variant.Bulz.349164.25568.5993
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c66fe399ec0cb598b2167a348c17f6a2
SHA1:	fcc9984283b3596fb575523fb90eb80ce702abe2
SHA256:	57f599e4ae63304de5795909f694122665f7c492df8078f7c5abb084d09baa2d
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Analysis Report SecuriteInfo.com.Variant.Bulz.349164.25568.5993

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted URLs