Loading ...

Play interactive tourEdit tour

Analysis Report SX365783909782021.bat

Overview

General Information

Sample Name:SX365783909782021.bat (renamed file extension from bat to exe)
Analysis ID:433214
MD5:ee1f4a07b874aa6ba18d6aa0f83252d3
SHA1:d17b97dc47707b685bc8976d3cbc6cdbfbd5fcee
SHA256:d66268222a39fd97e792983a3bacdb1e81067b7a28848a87fe65a5dc91f7e82a
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SX365783909782021.exe (PID: 4092 cmdline: 'C:\Users\user\Desktop\SX365783909782021.exe' MD5: EE1F4A07B874AA6BA18D6AA0F83252D3)
    • SX365783909782021.exe (PID: 5472 cmdline: 'C:\Users\user\Desktop\SX365783909782021.exe' MD5: EE1F4A07B874AA6BA18D6AA0F83252D3)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 5524 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 6124 cmdline: /c del 'C:\Users\user\Desktop\SX365783909782021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.moneyhuntercom.info/ngvm/"], "decoy": ["justiceforashleymoore.com", "tyqbfe.com", "zydonghua.com", "crossfootwear.com", "mysticlight-shop.com", "digitaldefenseacademy.com", "joyfulgoodies.com", "blog-kotori-haru.com", "atelierlinneakunstoghelse.com", "destinyonlineacademy.com", "series.onl", "bellizzo.com", "totalscalpsolutions.com", "musicrowstudiorecording.com", "digitalgamerentals.com", "princecreativehk.com", "bitchesofzion.com", "imodalmarine.com", "chilly-sauce.com", "studionikolla.com", "jilluonlinemart.com", "ypoinc.com", "chothuenhaxuongtphcm.com", "gadamagado.com", "cartscroll.com", "congying1688.com", "fesdimac.com", "xn--rhqu70hdoa298e.com", "zkdxin168.com", "the-plague-doctor.com", "speakeroo.online", "urban-xr.com", "kanjani8-house.com", "alberaber.com", "eamm-eg.com", "alsawtisrael.com", "deathvalleysolar.com", "vuyo.club", "zcoatux.icu", "marksfly.com", "advertisershopper.com", "hashratelab.com", "broadesys.com", "sampoelstra.com", "poacolors.com", "sciencelogicandfaith.com", "bootupcertificatemount.xyz", "alotranscend.com", "steadwaybytriarc.com", "simplefinest.com", "adinaroseyoga.com", "btb659.com", "ecftech.com", "caravansforsalenorthwales.com", "e1536.com", "sellmyhouseolympia.com", "vacalinda.com", "truegemsproperty.com", "aeternusprofero.com", "djspencer.com", "zhubviz.online", "xn--r2bnc0b.com", "luisxe.info", "servicesbackyard.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.SX365783909782021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.SX365783909782021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.SX365783909782021.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        2.1.SX365783909782021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.SX365783909782021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.moneyhuntercom.info/ngvm/"], "decoy": ["justiceforashleymoore.com", "tyqbfe.com", "zydonghua.com", "crossfootwear.com", "mysticlight-shop.com", "digitaldefenseacademy.com", "joyfulgoodies.com", "blog-kotori-haru.com", "atelierlinneakunstoghelse.com", "destinyonlineacademy.com", "series.onl", "bellizzo.com", "totalscalpsolutions.com", "musicrowstudiorecording.com", "digitalgamerentals.com", "princecreativehk.com", "bitchesofzion.com", "imodalmarine.com", "chilly-sauce.com", "studionikolla.com", "jilluonlinemart.com", "ypoinc.com", "chothuenhaxuongtphcm.com", "gadamagado.com", "cartscroll.com", "congying1688.com", "fesdimac.com", "xn--rhqu70hdoa298e.com", "zkdxin168.com", "the-plague-doctor.com", "speakeroo.online", "urban-xr.com", "kanjani8-house.com", "alberaber.com", "eamm-eg.com", "alsawtisrael.com", "deathvalleysolar.com", "vuyo.club", "zcoatux.icu", "marksfly.com", "advertisershopper.com", "hashratelab.com", "broadesys.com", "sampoelstra.com", "poacolors.com", "sciencelogicandfaith.com", "bootupcertificatemount.xyz", "alotranscend.com", "steadwaybytriarc.com", "simplefinest.com", "adinaroseyoga.com", "btb659.com", "ecftech.com", "caravansforsalenorthwales.com", "e1536.com", "sellmyhouseolympia.com", "vacalinda.com", "truegemsproperty.com", "aeternusprofero.com", "djspencer.com", "zhubviz.online", "xn--r2bnc0b.com", "luisxe.info", "servicesbackyard.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: SX365783909782021.exeVirustotal: Detection: 31%Perma Link
          Source: SX365783909782021.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SX365783909782021.exeJoe Sandbox ML: detected
          Source: 2.2.SX365783909782021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.help.exe.3b2f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.SX365783909782021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.help.exe.d3d870.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SX365783909782021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: SX365783909782021.exe, 00000000.00000003.209611066.0000000009B30000.00000004.00000001.sdmp, SX365783909782021.exe, 00000002.00000002.258947287.0000000000BA0000.00000040.00000001.sdmp, help.exe, 00000005.00000002.474720424.000000000371F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SX365783909782021.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmp
          Source: Binary string: help.pdb source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 4x nop then pop edi2_2_00416CB5
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 4x nop then pop edi2_1_00416CB5
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi5_2_03216CB5

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 168.235.88.209:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 168.235.88.209:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 168.235.88.209:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.moneyhuntercom.info/ngvm/
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ4 HTTP/1.1Host: www.vacalinda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4 HTTP/1.1Host: www.servicesbackyard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ4 HTTP/1.1Host: www.djspencer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ4 HTTP/1.1Host: www.caravansforsalenorthwales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 168.235.88.209 168.235.88.209
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=st23zvU/E1xU5Qy7Hp2PD30UnMfCa5knANSLf3ItiB6oVvQd6+qg6yvUWRtcyiXbPLds&3fox=SBZ4 HTTP/1.1Host: www.vacalinda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=UyLqygKx2FmdGYSRh5mqmU7zHOPmyh0H52xSnc3cVgCKFPBqoRmOJ0eYguKTgHZNEA4k&3fox=SBZ4 HTTP/1.1Host: www.servicesbackyard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=HBVp1ZFUGcT+hxfW3ntFEbmU5GO8vrkA1mLmG5vd048TCTgwy52mAcu3AE2RaU7PuRfb&3fox=SBZ4 HTTP/1.1Host: www.djspencer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ngvm/?w6A=uz7CW46zGnQqpjgqznnFmpPrWAklZoEybcG+oUJN9dvYL4OpOEr/HbmCuGHk2zZbqVpb&3fox=SBZ4 HTTP/1.1Host: www.caravansforsalenorthwales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.vacalinda.com
          Source: explorer.exe, 00000003.00000000.227112576.0000000008A06000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SX365783909782021.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: SX365783909782021.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.227163717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SX365783909782021.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A060 NtClose,2_2_0041A060
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A110 NtAllocateVirtualMemory,2_2_0041A110
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419F30 NtCreateFile,2_2_00419F30
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419FE0 NtReadFile,2_2_00419FE0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A05A NtClose,2_2_0041A05A
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041A10A NtAllocateVirtualMemory,2_2_0041A10A
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00419F2D NtCreateFile,2_2_00419F2D
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C098F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00C098F0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09840 NtDelayExecution,LdrInitializeThunk,2_2_00C09840
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00C09860
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C099A0 NtCreateSection,LdrInitializeThunk,2_2_00C099A0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00C09910
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A50 NtCreateFile,LdrInitializeThunk,2_2_00C09A50
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00C09A00
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A20 NtResumeThread,LdrInitializeThunk,2_2_00C09A20
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C095D0 NtClose,LdrInitializeThunk,2_2_00C095D0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09540 NtReadFile,LdrInitializeThunk,2_2_00C09540
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C096E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00C096E0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00C09660
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09780 NtMapViewOfSection,LdrInitializeThunk,2_2_00C09780
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C097A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00C097A0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09710 NtQueryInformationToken,LdrInitializeThunk,2_2_00C09710
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C098A0 NtWriteVirtualMemory,2_2_00C098A0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0B040 NtSuspendThread,2_2_00C0B040
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09820 NtEnumerateKey,2_2_00C09820
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C099D0 NtCreateProcessEx,2_2_00C099D0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09950 NtQueueApcThread,2_2_00C09950
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A80 NtOpenDirectoryObject,2_2_00C09A80
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09A10 NtQuerySection,2_2_00C09A10
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0A3B0 NtGetContextThread,2_2_00C0A3B0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09B00 NtSetValueKey,2_2_00C09B00
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C095F0 NtQueryInformationFile,2_2_00C095F0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09560 NtWriteFile,2_2_00C09560
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09520 NtWaitForSingleObject,2_2_00C09520
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0AD30 NtSetContextThread,2_2_00C0AD30
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C096D0 NtCreateKey,2_2_00C096D0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09650 NtQueryValueKey,2_2_00C09650
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09670 NtQueryInformationProcess,2_2_00C09670
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09610 NtEnumerateValueKey,2_2_00C09610
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09FE0 NtCreateMutant,2_2_00C09FE0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09760 NtOpenProcess,2_2_00C09760
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09770 NtSetInformationFile,2_2_00C09770
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0A770 NtOpenThread,2_2_00C0A770
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C0A710 NtOpenProcessToken,2_2_00C0A710
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C09730 NtQueryVirtualMemory,2_2_00C09730
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A060 NtClose,2_1_0041A060
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A110 NtAllocateVirtualMemory,2_1_0041A110
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419F30 NtCreateFile,2_1_00419F30
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419FE0 NtReadFile,2_1_00419FE0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A05A NtClose,2_1_0041A05A
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041A10A NtAllocateVirtualMemory,2_1_0041A10A
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00419F2D NtCreateFile,2_1_00419F2D
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A50 NtCreateFile,LdrInitializeThunk,5_2_03669A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_03669910
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036699A0 NtCreateSection,LdrInitializeThunk,5_2_036699A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669860 NtQuerySystemInformation,LdrInitializeThunk,5_2_03669860
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669840 NtDelayExecution,LdrInitializeThunk,5_2_03669840
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669710 NtQueryInformationToken,LdrInitializeThunk,5_2_03669710
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669FE0 NtCreateMutant,LdrInitializeThunk,5_2_03669FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669780 NtMapViewOfSection,LdrInitializeThunk,5_2_03669780
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_03669660
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669650 NtQueryValueKey,LdrInitializeThunk,5_2_03669650
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036696E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_036696E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036696D0 NtCreateKey,LdrInitializeThunk,5_2_036696D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669540 NtReadFile,LdrInitializeThunk,5_2_03669540
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036695D0 NtClose,LdrInitializeThunk,5_2_036695D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669B00 NtSetValueKey,5_2_03669B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366A3B0 NtGetContextThread,5_2_0366A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A20 NtResumeThread,5_2_03669A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A00 NtProtectVirtualMemory,5_2_03669A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A10 NtQuerySection,5_2_03669A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669A80 NtOpenDirectoryObject,5_2_03669A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669950 NtQueueApcThread,5_2_03669950
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036699D0 NtCreateProcessEx,5_2_036699D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366B040 NtSuspendThread,5_2_0366B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669820 NtEnumerateKey,5_2_03669820
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036698F0 NtReadVirtualMemory,5_2_036698F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036698A0 NtWriteVirtualMemory,5_2_036698A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669760 NtOpenProcess,5_2_03669760
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366A770 NtOpenThread,5_2_0366A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669770 NtSetInformationFile,5_2_03669770
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669730 NtQueryVirtualMemory,5_2_03669730
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366A710 NtOpenProcessToken,5_2_0366A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036697A0 NtUnmapViewOfSection,5_2_036697A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669670 NtQueryInformationProcess,5_2_03669670
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669610 NtEnumerateValueKey,5_2_03669610
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669560 NtWriteFile,5_2_03669560
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03669520 NtWaitForSingleObject,5_2_03669520
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0366AD30 NtSetContextThread,5_2_0366AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036695F0 NtQueryInformationFile,5_2_036695F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A110 NtAllocateVirtualMemory,5_2_0321A110
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A060 NtClose,5_2_0321A060
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219F30 NtCreateFile,5_2_03219F30
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219FE0 NtReadFile,5_2_03219FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A10A NtAllocateVirtualMemory,5_2_0321A10A
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321A05A NtClose,5_2_0321A05A
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03219F2D NtCreateFile,5_2_03219F2D
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 0_2_73761A980_2_73761A98
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041E2062_2_0041E206
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041DA322_2_0041DA32
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D3302_2_0041D330
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041E46E2_2_0041E46E
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_0041D6662_2_0041D666
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00409E3C2_2_00409E3C
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF20A02_2_00BF20A0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C928EC2_2_00C928EC
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDB0902_2_00BDB090
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C920A82_2_00C920A8
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA8302_2_00BEA830
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C810022_2_00C81002
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9E8242_2_00C9E824
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE99BF2_2_00BE99BF
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE41202_2_00BE4120
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BCF9002_2_00BCF900
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C84AEF2_2_00C84AEF
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C922AE2_2_00C922AE
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C7FA2B2_2_00C7FA2B
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFEBB02_2_00BFEBB0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C803DA2_2_00C803DA
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8DBD22_2_00C8DBD2
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C723E32_2_00C723E3
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BFABD82_2_00BFABD8
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEA3092_2_00BEA309
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C92B282_2_00C92B28
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BEAB402_2_00BEAB40
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C844962_2_00C84496
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BD841F2_2_00BD841F
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8D4662_2_00C8D466
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C925DD2_2_00C925DD
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BF25812_2_00BF2581
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C82D822_2_00C82D82
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BDD5E02_2_00BDD5E0
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BC0D202_2_00BC0D20
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C91D552_2_00C91D55
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C92D072_2_00C92D07
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C92EF72_2_00C92EF7
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00BE6E302_2_00BE6E30
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C8D6162_2_00C8D616
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C9DFCE2_2_00C9DFCE
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_2_00C91FF12_2_00C91FF1
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_004010302_1_00401030
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041E2062_1_0041E206
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041DA322_1_0041DA32
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D3302_1_0041D330
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041E46E2_1_0041E46E
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00402D872_1_00402D87
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00402D902_1_00402D90
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00409E402_1_00409E40
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_0041D6662_1_0041D666
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00409E3C2_1_00409E3C
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: 2_1_00402FB02_1_00402FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364AB405_2_0364AB40
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F2B285_2_036F2B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E03DA5_2_036E03DA
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036EDBD25_2_036EDBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0365EBB05_2_0365EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036DFA2B5_2_036DFA2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F22AE5_2_036F22AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036441205_2_03644120
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0362F9005_2_0362F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036499BF5_2_036499BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036FE8245_2_036FE824
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0364A8305_2_0364A830
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036E10025_2_036E1002
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F28EC5_2_036F28EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036520A05_2_036520A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F20A85_2_036F20A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363B0905_2_0363B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F1FF15_2_036F1FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036FDFCE5_2_036FDFCE
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03646E305_2_03646E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036ED6165_2_036ED616
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F2EF75_2_036F2EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F1D555_2_036F1D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03620D205_2_03620D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F2D075_2_036F2D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363D5E05_2_0363D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036F25DD5_2_036F25DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036525815_2_03652581
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_036ED4665_2_036ED466
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0363841F5_2_0363841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D3305_2_0321D330
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321DA325_2_0321DA32
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321E2065_2_0321E206
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03202FB05_2_03202FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03209E3C5_2_03209E3C
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321D6665_2_0321D666
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03209E405_2_03209E40
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03202D875_2_03202D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_03202D905_2_03202D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 5_2_0321E46E5_2_0321E46E
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 0362B150 appears 72 times
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: String function: 00BCB150 appears 133 times
          Source: C:\Users\user\Desktop\SX365783909782021.exeCode function: String function: 0041BDB0 appears 38 times
          Source: SX365783909782021.exe, 00000000.00000003.208364508.0000000009C4F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SX365783909782021.exe
          Source: SX365783909782021.exe, 00000002.00000002.258899247.0000000000769000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs SX365783909782021.exe
          Source: SX365783909782021.exe, 00000002.00000002.259254145.0000000000E4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SX365783909782021.exe
          Source: SX365783909782021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.258574044.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.473754310.0000000003200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.209804420.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.258786803.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.211210535.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.258837957.0000000000710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.472090660.0000000000C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.SX365783909782021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.SX365783909782021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SX365783909782021.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SX365783909782021.exe.22b0<