Loading ...

Play interactive tourEdit tour

Analysis Report OrderKLB210568.exe

Overview

General Information

Sample Name:OrderKLB210568.exe
Analysis ID:433298
MD5:759b0d51f128f54e516ad1941a896d77
SHA1:13e8d9d44cf15bcfc43952eebc3f10fcafed23a3
SHA256:a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OrderKLB210568.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: 759B0D51F128F54E516AD1941A896D77)
    • OrderKLB210568.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: 759B0D51F128F54E516AD1941A896D77)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6364 cmdline: /c del 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.OrderKLB210568.exe.22b0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.OrderKLB210568.exe.22b0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.OrderKLB210568.exe.22b0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.OrderKLB210568.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.OrderKLB210568.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: OrderKLB210568.exeReversingLabs: Detection: 32%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: OrderKLB210568.exeJoe Sandbox ML: detected
          Source: 1.2.OrderKLB210568.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.raserver.exe.33fcd80.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.raserver.exe.5607960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.OrderKLB210568.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: OrderKLB210568.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: OrderKLB210568.exe, 00000000.00000003.659659585.0000000009A30000.00000004.00000001.sdmp, OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.923390978.00000000051EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: OrderKLB210568.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040263E FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.brochusuell.com/noor/
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 104.16.13.194 104.16.13.194
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.tcheaptvwdmall.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Fri, 11 Jun 2021 13:43:42 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: OrderKLB210568.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: OrderKLB210568.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.670973820.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: raserver.exe, 00000009.00000002.923694061.0000000005782000.00000004.00000001.sdmpString found in binary or memory: https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
          Source: OrderKLB210568.exe, 00000000.00000002.667430799.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: OrderKLB210568.exe
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00418212 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041839D NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AF9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AFA770 NtOpenThread,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041826A NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00418212 NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041839D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051396D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139560 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051395F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051397A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051399D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051398A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051398F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0513A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05139A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_010181C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_010183A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01018270 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_010182F0 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101839D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01018212 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101826A NtReadFile,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00404853
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_00406131
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 0_2_6FC41A98
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B83E
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041C171
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00401208
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00408C60
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041C429
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041B4A3
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_0041BDB4
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE20A0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B820A8
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACB090
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B828EC
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8E824
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B71002
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD4120
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ABF900
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B822AE
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B6FA2B
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AEEBB0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7DBD2
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B703DA
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B82B28
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AC841F
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7D466
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AE2581
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00ACD5E0
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B825DD
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AB0D20
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B82D07
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B81D55
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B82EF7
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00AD6E30
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B7D616
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B81FF1
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_2_00B8DFCE
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00401026
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B83E
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041C171
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00401208
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00408C60
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041C429
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041B4A3
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: 1_1_0041BDB4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050F0D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05122581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BD466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051CDFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BD616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05116E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_050FF900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_05114120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051199BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051CE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0510B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051220A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511A309
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0511AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B03DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051BDBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0512ABD8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051A23E3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051AFA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051C22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_051B4AEF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101C171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101B83E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01002D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101BDB4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101C429
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01008C60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0101B4A3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01002FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 050FB150 appears 124 times
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: String function: 00419F70 appears 36 times
          Source: C:\Users\user\Desktop\OrderKLB210568.exeCode function: String function: 00ABB150 appears 45 times
          Source: OrderKLB210568.exe, 00000000.00000003.660414871.0000000009B46000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OrderKLB210568.exe
          Source: OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OrderKLB210568.exe
          Source: OrderKLB210568.exe, 00000001.00000002.720949048.0000000000A49000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs OrderKLB210568.exe
          Source: OrderKLB210568.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC In