Loading ...

Play interactive tourEdit tour

Analysis Report INVOICE.exe

Overview

General Information

Sample Name:INVOICE.exe
Analysis ID:433143
MD5:98901aff995d92677cf637b241ae9a9b
SHA1:6dac1968c4a9ae4bf26f7fd38efb721fcf7d05dc
SHA256:fb6e849cd3af7e8b0c8143397e62a595a42abbfbbac81f2cdd0b2cb4d18ea543
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • INVOICE.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\INVOICE.exe' MD5: 98901AFF995D92677CF637B241AE9A9B)
    • INVOICE.exe (PID: 6476 cmdline: 'C:\Users\user\Desktop\INVOICE.exe' MD5: 98901AFF995D92677CF637B241AE9A9B)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • systray.exe (PID: 2148 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
        • cmd.exe (PID: 2100 cmdline: /c del 'C:\Users\user\Desktop\INVOICE.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gicc-fx.com/uer0/"], "decoy": ["bonds101.com", "lyotrust.com", "can-amchainseurope.com", "mysoulcure.com", "hometownsmut.com", "cxpzhy.site", "hjklrmn.xyz", "bsdminingservice.com", "mockpacket.com", "standwithkam.com", "yxbdj.com", "soulseedz.com", "whxldjt.com", "ruayhunhangseng.com", "benefitcrystal.info", "rahalake.com", "cryptnex.com", "comicslighthouse.com", "ridenwithbiden.net", "samsunbilsem.com", "homestorestoragemanhattan.com", "33-today.club", "laurajimore.com", "wellnesswithshami.com", "palmyra-beaute.com", "ringerpinger.com", "cpf3life.com", "medusaantalya.com", "meganmccalla.com", "xn--2qux23coval6o.net", "icheaplivemall.com", "theseekers5thdimension.com", "hydrogenfunding.com", "calphad.cloud", "amazingdiapercakes.com", "11gongli.com", "bhuyanit.com", "16263937888.com", "crowgangrecords.com", "ytub.xyz", "virtual-ledlight.com", "dollysusmitha.com", "istanbulkonyasofrasi.com", "phonetomouth.com", "tiendasred.com", "destemidovapes.com", "quinnmonroe.com", "internationaldatingapps.com", "aib-confirm.com", "rentthemansion.com", "musicmysoul.com", "alpinesocks.net", "8425sentinaechasedrive.com", "danielabigalli.com", "atlasresearchus.com", "rossinkmobilenotary.com", "mynevve.com", "alfacapital.fund", "jumtix.xyz", "rr-program.com", "trumpoutnowhat.com", "motorworld.rentals", "condoproinsurance.com", "quantumkca.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.INVOICE.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.INVOICE.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.INVOICE.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.1.INVOICE.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.INVOICE.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.gicc-fx.com/uer0/"], "decoy": ["bonds101.com", "lyotrust.com", "can-amchainseurope.com", "mysoulcure.com", "hometownsmut.com", "cxpzhy.site", "hjklrmn.xyz", "bsdminingservice.com", "mockpacket.com", "standwithkam.com", "yxbdj.com", "soulseedz.com", "whxldjt.com", "ruayhunhangseng.com", "benefitcrystal.info", "rahalake.com", "cryptnex.com", "comicslighthouse.com", "ridenwithbiden.net", "samsunbilsem.com", "homestorestoragemanhattan.com", "33-today.club", "laurajimore.com", "wellnesswithshami.com", "palmyra-beaute.com", "ringerpinger.com", "cpf3life.com", "medusaantalya.com", "meganmccalla.com", "xn--2qux23coval6o.net", "icheaplivemall.com", "theseekers5thdimension.com", "hydrogenfunding.com", "calphad.cloud", "amazingdiapercakes.com", "11gongli.com", "bhuyanit.com", "16263937888.com", "crowgangrecords.com", "ytub.xyz", "virtual-ledlight.com", "dollysusmitha.com", "istanbulkonyasofrasi.com", "phonetomouth.com", "tiendasred.com", "destemidovapes.com", "quinnmonroe.com", "internationaldatingapps.com", "aib-confirm.com", "rentthemansion.com", "musicmysoul.com", "alpinesocks.net", "8425sentinaechasedrive.com", "danielabigalli.com", "atlasresearchus.com", "rossinkmobilenotary.com", "mynevve.com", "alfacapital.fund", "jumtix.xyz", "rr-program.com", "trumpoutnowhat.com", "motorworld.rentals", "condoproinsurance.com", "quantumkca.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: INVOICE.exeReversingLabs: Detection: 65%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: INVOICE.exeJoe Sandbox ML: detected
          Source: 0.2.INVOICE.exe.9990000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.INVOICE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.INVOICE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.systray.exe.4ccf834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 8.2.systray.exe.ac3748.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: INVOICE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: systray.pdb source: INVOICE.exe, 00000001.00000002.275736052.00000000007D0000.00000040.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: INVOICE.exe, 00000001.00000002.275736052.00000000007D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: INVOICE.exe, 00000000.00000003.198125696.00000000099C0000.00000004.00000001.sdmp, INVOICE.exe, 00000001.00000002.275776991.0000000000A80000.00000040.00000001.sdmp, systray.exe, 00000008.00000002.463792021.00000000047A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INVOICE.exe, systray.exe
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 104.21.29.70:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 104.21.29.70:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 104.21.29.70:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.gicc-fx.com/uer0/
          Source: global trafficHTTP traffic detected: GET /uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThz HTTP/1.1Host: www.cpf3life.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEI HTTP/1.1Host: www.phonetomouth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /uer0/?cT=IWphFoHV4jp5oknFMScIxRoUR2WJRPQs/XYBCw5pT/o6GbblNl6C3qYdj4q6OTOtoDPc&0rjL0=00GhNj0PalVPThz HTTP/1.1Host: www.cpf3life.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uer0/?0rjL0=00GhNj0PalVPThz&cT=mzn46ufhhzCxwm8qeMWDu5BECFFcgbpMb+xr4Y5+z9rgY/t3xuFClMCjGCpTywHehpEI HTTP/1.1Host: www.phonetomouth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dollysusmitha.com
          Source: explorer.exe, 00000003.00000000.218929879.00000000089F9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: INVOICE.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: INVOICE.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.219054148.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274983977.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.461491283.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.460557300.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.273615422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.461394658.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.204139591.0000000009990000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INVOICE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INVOICE.exe.9990000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.INVOICE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INVOICE.exe.9990000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Executable has a suspicious name (potential lure to open the executable)Show sources
          Source: INVOICE.exeStatic file information: Suspicious name
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: INVOICE.exe
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041A050 NtClose,1_2_0041A050
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041A100 NtAllocateVirtualMemory,1_2_0041A100
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419F20 NtCreateFile,1_2_00419F20
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419FD0 NtReadFile,1_2_00419FD0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041A0FA NtAllocateVirtualMemory,1_2_0041A0FA
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419F1A NtCreateFile,1_2_00419F1A
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00419FCC NtReadFile,1_2_00419FCC
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AE98F0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AE9860
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9840 NtDelayExecution,LdrInitializeThunk,1_2_00AE9840
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE99A0 NtCreateSection,LdrInitializeThunk,1_2_00AE99A0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AE9910
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A20 NtResumeThread,LdrInitializeThunk,1_2_00AE9A20
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AE9A00
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A50 NtCreateFile,LdrInitializeThunk,1_2_00AE9A50
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE95D0 NtClose,LdrInitializeThunk,1_2_00AE95D0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9540 NtReadFile,LdrInitializeThunk,1_2_00AE9540
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AE96E0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AE9660
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AE97A0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AE9780
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AE9710
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE98A0 NtWriteVirtualMemory,1_2_00AE98A0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9820 NtEnumerateKey,1_2_00AE9820
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEB040 NtSuspendThread,1_2_00AEB040
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE99D0 NtCreateProcessEx,1_2_00AE99D0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9950 NtQueueApcThread,1_2_00AE9950
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A80 NtOpenDirectoryObject,1_2_00AE9A80
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9A10 NtQuerySection,1_2_00AE9A10
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEA3B0 NtGetContextThread,1_2_00AEA3B0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9B00 NtSetValueKey,1_2_00AE9B00
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE95F0 NtQueryInformationFile,1_2_00AE95F0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9520 NtWaitForSingleObject,1_2_00AE9520
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEAD30 NtSetContextThread,1_2_00AEAD30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9560 NtWriteFile,1_2_00AE9560
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE96D0 NtCreateKey,1_2_00AE96D0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9610 NtEnumerateValueKey,1_2_00AE9610
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9670 NtQueryInformationProcess,1_2_00AE9670
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9650 NtQueryValueKey,1_2_00AE9650
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9FE0 NtCreateMutant,1_2_00AE9FE0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9730 NtQueryVirtualMemory,1_2_00AE9730
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEA710 NtOpenProcessToken,1_2_00AEA710
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9760 NtOpenProcess,1_2_00AE9760
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AE9770 NtSetInformationFile,1_2_00AE9770
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AEA770 NtOpenThread,1_2_00AEA770
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041A050 NtClose,1_1_0041A050
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041A100 NtAllocateVirtualMemory,1_1_0041A100
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419F20 NtCreateFile,1_1_00419F20
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419FD0 NtReadFile,1_1_00419FD0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041A0FA NtAllocateVirtualMemory,1_1_0041A0FA
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419F1A NtCreateFile,1_1_00419F1A
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00419FCC NtReadFile,1_1_00419FCC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048095D0 NtClose,LdrInitializeThunk,8_2_048095D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809540 NtReadFile,LdrInitializeThunk,8_2_04809540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048096D0 NtCreateKey,LdrInitializeThunk,8_2_048096D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048096E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_048096E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809650 NtQueryValueKey,LdrInitializeThunk,8_2_04809650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04809660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809780 NtMapViewOfSection,LdrInitializeThunk,8_2_04809780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809FE0 NtCreateMutant,LdrInitializeThunk,8_2_04809FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809710 NtQueryInformationToken,LdrInitializeThunk,8_2_04809710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809840 NtDelayExecution,LdrInitializeThunk,8_2_04809840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04809860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048099A0 NtCreateSection,LdrInitializeThunk,8_2_048099A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04809910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A50 NtCreateFile,LdrInitializeThunk,8_2_04809A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048095F0 NtQueryInformationFile,8_2_048095F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809520 NtWaitForSingleObject,8_2_04809520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480AD30 NtSetContextThread,8_2_0480AD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809560 NtWriteFile,8_2_04809560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809610 NtEnumerateValueKey,8_2_04809610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809670 NtQueryInformationProcess,8_2_04809670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048097A0 NtUnmapViewOfSection,8_2_048097A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480A710 NtOpenProcessToken,8_2_0480A710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809730 NtQueryVirtualMemory,8_2_04809730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809760 NtOpenProcess,8_2_04809760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480A770 NtOpenThread,8_2_0480A770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809770 NtSetInformationFile,8_2_04809770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048098A0 NtWriteVirtualMemory,8_2_048098A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048098F0 NtReadVirtualMemory,8_2_048098F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809820 NtEnumerateKey,8_2_04809820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480B040 NtSuspendThread,8_2_0480B040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048099D0 NtCreateProcessEx,8_2_048099D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809950 NtQueueApcThread,8_2_04809950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A80 NtOpenDirectoryObject,8_2_04809A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A00 NtProtectVirtualMemory,8_2_04809A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A10 NtQuerySection,8_2_04809A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809A20 NtResumeThread,8_2_04809A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0480A3B0 NtGetContextThread,8_2_0480A3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04809B00 NtSetValueKey,8_2_04809B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CA050 NtClose,8_2_005CA050
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CA100 NtAllocateVirtualMemory,8_2_005CA100
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9F20 NtCreateFile,8_2_005C9F20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9FD0 NtReadFile,8_2_005C9FD0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CA0FA NtAllocateVirtualMemory,8_2_005CA0FA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9F1A NtCreateFile,8_2_005C9F1A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005C9FCC NtReadFile,8_2_005C9FCC
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 0_2_73701A980_2_73701A98
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041E0341_2_0041E034
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D1661_2_0041D166
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_004011771_2_00401177
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041DA6E1_2_0041DA6E
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041DB501_2_0041DB50
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041E3F51_2_0041E3F5
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D4031_2_0041D403
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041DD621_2_0041DD62
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_0041D5651_2_0041D565
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00409E2C1_2_00409E2C
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD20A01_2_00AD20A0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B720A81_2_00B720A8
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABB0901_2_00ABB090
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B728EC1_2_00B728EC
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7E8241_2_00B7E824
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA8301_2_00ACA830
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B610021_2_00B61002
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC99BF1_2_00AC99BF
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC41201_2_00AC4120
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AAF9001_2_00AAF900
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B722AE1_2_00B722AE
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B64AEF1_2_00B64AEF
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB2361_2_00ACB236
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B5FA2B1_2_00B5FA2B
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADEBB01_2_00ADEBB0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD138B1_2_00AD138B
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B523E31_2_00B523E3
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6DBD21_2_00B6DBD2
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B603DA1_2_00B603DA
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ADABD81_2_00ADABD8
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B72B281_2_00B72B28
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACA3091_2_00ACA309
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACAB401_2_00ACAB40
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B4CB4F1_2_00B4CB4F
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B644961_2_00B64496
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AB841F1_2_00AB841F
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6D4661_2_00B6D466
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ACB4771_2_00ACB477
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AD25811_2_00AD2581
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B62D821_2_00B62D82
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00ABD5E01_2_00ABD5E0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B725DD1_2_00B725DD
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AA0D201_2_00AA0D20
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B72D071_2_00B72D07
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B71D551_2_00B71D55
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B72EF71_2_00B72EF7
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00AC6E301_2_00AC6E30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B6D6161_2_00B6D616
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B71FF11_2_00B71FF1
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_2_00B7DFCE1_2_00B7DFCE
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041E0341_1_0041E034
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D1661_1_0041D166
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_004011771_1_00401177
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041DA6E1_1_0041DA6E
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041DB501_1_0041DB50
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041E3F51_1_0041E3F5
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D4031_1_0041D403
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041DD621_1_0041DD62
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_0041D5651_1_0041D565
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00409E2C1_1_00409E2C
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00409E301_1_00409E30
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: 1_1_00402FB01_1_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EB4778_2_047EB477
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048844968_2_04884496
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047D841F8_2_047D841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488D4668_2_0488D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04882D828_2_04882D82
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048925DD8_2_048925DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047C0D208_2_047C0D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04892D078_2_04892D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047DD5E08_2_047DD5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04891D558_2_04891D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F25818_2_047F2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E6E308_2_047E6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04892EF78_2_04892EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488D6168_2_0488D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489DFCE8_2_0489DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04891FF18_2_04891FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048920A88_2_048920A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EA8308_2_047EA830
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048928EC8_2_048928EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048810028_2_04881002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0489E8248_2_0489E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F20A08_2_047F20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047DB0908_2_047DB090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E41208_2_047E4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047CF9008_2_047CF900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047E99BF8_2_047E99BF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048922AE8_2_048922AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04884AEF8_2_04884AEF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0487FA2B8_2_0487FA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EAB408_2_047EAB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048803DA8_2_048803DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0488DBD28_2_0488DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_048723E38_2_048723E3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047EA3098_2_047EA309
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_04892B288_2_04892B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FABD88_2_047FABD8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0486CB4F8_2_0486CB4F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047FEBB08_2_047FEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_047F138B8_2_047F138B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD1668_2_005CD166
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CE3F58_2_005CE3F5
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005CD4038_2_005CD403
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B2D908_2_005B2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B9E308_2_005B9E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B9E2C8_2_005B9E2C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_005B2FB08_2_005B2FB0
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: String function: 00AAB150 appears 136 times
          Source: C:\Users\user\Desktop\INVOICE.exeCode function: String function: 0041BDA0 appears 38 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 047CB150 appears 136 times
          Source: INVOICE.exe, 00000000.00000003.200123102.0000000009B06000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICE.exe
          Source: INVOICE.exe, 00000001.00000002.275741990.00000000007D3000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs INVOICE.exe
          Source: INVOICE.exe, 00000001.00000002.276092694.0000000000D2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INVOICE.exe
          Source: INVOICE.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.201178753.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.275287960.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607,