Play interactive tourEdit tour

# Analysis Report OrderKLB210568.exe

## Overview

### General Information

 Sample Name: OrderKLB210568.exe Analysis ID: 433298 MD5: 759b0d51f128f54e516ad1941a896d77 SHA1: 13e8d9d44cf15bcfc43952eebc3f10fcafed23a3 SHA256: a08bf89a7e4c15fb33684e268199df85727a6ab759a1d7f3d5ba2b7a0e49f17a Tags: exeFormbook Infos: Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64OrderKLB210568.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: 759B0D51F128F54E516AD1941A896D77)OrderKLB210568.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: 759B0D51F128F54E516AD1941A896D77)explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)raserver.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)cmd.exe (PID: 6364 cmdline: /c del 'C:\Users\user\Desktop\OrderKLB210568.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 6632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)cleanup
``{"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}``
SourceRuleDescriptionAuthorStrings
00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8982:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14695:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14181:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14797:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1490f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x939a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133fc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa112:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19787:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a82a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x166b9:\$sqlite3step: 68 34 1C 7B E1
• 0x167cc:\$sqlite3step: 68 34 1C 7B E1
• 0x166e8:\$sqlite3text: 68 38 2A 90 C5
• 0x1680d:\$sqlite3text: 68 38 2A 90 C5
• 0x166fb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16823:\$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8982:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14695:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14181:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14797:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1490f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x939a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133fc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa112:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19787:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a82a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 19 entries
SourceRuleDescriptionAuthorStrings
0.2.OrderKLB210568.exe.22b0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
0.2.OrderKLB210568.exe.22b0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8982:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14695:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14181:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14797:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1490f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x939a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133fc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa112:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19787:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a82a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.OrderKLB210568.exe.22b0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x166b9:\$sqlite3step: 68 34 1C 7B E1
• 0x167cc:\$sqlite3step: 68 34 1C 7B E1
• 0x166e8:\$sqlite3text: 68 38 2A 90 C5
• 0x1680d:\$sqlite3text: 68 38 2A 90 C5
• 0x166fb:\$sqlite3blob: 68 53 D8 7F 8C
• 0x16823:\$sqlite3blob: 68 53 D8 7F 8C
1.2.OrderKLB210568.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
1.2.OrderKLB210568.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x85e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8982:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14695:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14181:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14797:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x1490f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x939a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133fc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa112:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x19787:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1a82a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 13 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Found malware configuration Show sources
 Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.brochusuell.com/noor/"], "decoy": ["dwlm003.com", "plafon.one", "spacemazevr.com", "geniuslims.com", "selayvolkanwedding.com", "jarsofjoybylinathomas.com", "crosshatch-culinary.com", "mortenmortensen.com", "astromaritravel.com", "that-poor-girl.com", "kovalchukinteriors.com", "hoppingnations.net", "thequbi.com", "shoppermatic.com", "listofcannabinoids.com", "cottoneco.com", "betsrhodeisland.com", "cheerythoughts.com", "joyeriaguitzel.com", "marryobaidanjum.com", "globalapp.net", "ptuananh.club", "headstailsquiz.com", "centerdei.com", "voyagoezy.com", "mysftech.com", "makpumpiran.com", "infathguation.com", "icandrawanything.com", "condorclay.com", "weightlossguruji.com", "zhsysw.com", "radiogogy.com", "pocketeap.com", "gofloorsgo.com", "60-21stave.com", "juliamade.com", "diariodebrasilia.net", "estasenfamilia.com", "agaperpetual.com", "casualcool.xyz", "hfdfg.com", "uipoll.cloud", "indyafilmco.com", "avedonalchemy.online", "store-36.com", "trueandbare.com", "entrenandoamican.com", "tcheaptvwdmall.com", "pirates-bay.gifts", "gamesuptodate.com", "sotoki.com", "pinnacleautism.com", "xbzjist.com", "agencysevenadstrack.com", "atelierbeaumur.site", "stoptraffickingtc.com", "velvetlaceextensions.com", "sanidhestela.com", "crisstings.com", "gshockkuwait.com", "blaxies3.com", "customtiletables.com", "scgcarriers.com"]}
 Multi AV Scanner detection for submitted file Show sources
 Source: OrderKLB210568.exe ReversingLabs: Detection: 32%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE
 Machine Learning detection for sample Show sources
 Source: OrderKLB210568.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 1.2.OrderKLB210568.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 9.2.raserver.exe.33fcd80.2.unpack Avira: Label: TR/Patched.Ren.Gen Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 9.2.raserver.exe.5607960.5.unpack Avira: Label: TR/Patched.Ren.Gen Source: 1.1.OrderKLB210568.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Uses 32bit PE files Show sources
 Source: OrderKLB210568.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
 Binary contains paths to debug symbols Show sources
 Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: OrderKLB210568.exe, 00000000.00000003.659659585.0000000009A30000.00000004.00000001.sdmp, OrderKLB210568.exe, 00000001.00000002.721198139.0000000000BAF000.00000040.00000001.sdmp, raserver.exe, 00000009.00000002.923390978.00000000051EF000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: OrderKLB210568.exe, raserver.exe Source: Binary string: RAServer.pdb source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp Source: Binary string: RAServer.pdbGCTL source: OrderKLB210568.exe, 00000001.00000002.720929756.0000000000A30000.00000040.00000001.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.712034262.0000000005A00000.00000002.00000001.sdmp
 Contains functionality to enumerate / list files inside a directory Show sources
 Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, Source: C:\Users\user\Desktop\OrderKLB210568.exe Code function: 0_2_0040263E FindFirstFileA,

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80 Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80 Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 74.208.236.54:80
 C2 URLs / IPs found in malware configuration Show sources
 Source: Malware configuration extractor URLs: www.brochusuell.com/noor/
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 104.16.13.194 104.16.13.194
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US Source: Joe Sandbox View ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /noor/?1bWh=4rG107LnOcmcuziIBv//fTWAPRyuaqL3ZCNKQGbegtiOA/J/96Y+2s4SPBA+G2lg6sqa&z6A=SROlIdu0 HTTP/1.1Host: www.trueandbare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=HXv2ci8qflo+sTzlFu6p6ayrdzzy8jUJJ1L5hJzxjEzCyp3/Ui7nWA8VYIXOKVKH4kcG&z6A=SROlIdu0 HTTP/1.1Host: www.velvetlaceextensions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=yBBObmCyAJHV9q/laG6R4VeleE6hM9O/9rRknywdqzDMYOPfeqQhGmZFlzULPSD48dad&z6A=SROlIdu0 HTTP/1.1Host: www.pinnacleautism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=MrymD1JTSi9icjGKk8gDaU+0x7uPJ/DMShO0SAEbIObMq4sdMjmwzvuhTtB1BmEBq3Cn&z6A=SROlIdu0 HTTP/1.1Host: www.scgcarriers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=aLSZaEbZcY+nJL/coxA+SeOeWAYt8B9E/LcznQPuCd+SSEpvsuzJsFlKySIeZ1LxQ2fR&z6A=SROlIdu0 HTTP/1.1Host: www.customtiletables.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=KyjbU3AKX/1ra4+yobi9yViduRe0x0FUVCXAE/BWsKVHYHaI6gSvGLTvxwAp00IgFIet&z6A=SROlIdu0 HTTP/1.1Host: www.marryobaidanjum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=AHmkjMmF5A51F9E2l+bDZjEpvTE04T0IuK3gjYUfTOhZyeiT49VRPb60+qMIaT57BRzI&z6A=SROlIdu0 HTTP/1.1Host: www.astromaritravel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq+Heyas7SGX58S4jH7yXEPKWiH2cfubfT5&z6A=SROlIdu0 HTTP/1.1Host: www.plafon.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.tcheaptvwdmall.com
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Fri, 11 Jun 2021 13:43:42 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
 URLs found in memory or binary data Show sources
 Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: OrderKLB210568.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error Source: OrderKLB210568.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError Source: explorer.exe, 00000004.00000000.670973820.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: explorer.exe, 00000004.00000000.688771289.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: raserver.exe, 00000009.00000002.923694061.0000000005782000.00000004.00000001.sdmp String found in binary or memory: https://www.plafon.one/noor/?1bWh=xnNqGXCWkFApROrJz350BdHFb13BnEMQPSq
 Contains functionality for read data from the clipboard Show sources
 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: OrderKLB210568.exe, 00000000.00000002.667430799.00000000007AA000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.667634881.00000000022B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.922673360.0000000001250000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.720819414.00000000009D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.720216113.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.922695254.0000000001280000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000001.664276844.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000009.00000002.922550809.0000000001000000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000001.00000002.720881114.0000000000A00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.OrderKLB210568.exe.22b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.1.OrderKLB210568.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.2.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.OrderKLB210568.exe.22b0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 1.1.OrderKLB210568.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Initial sample is a PE file and has a suspicious name Show sources
 Source: initial sample Static PE information: Filename: OrderKLB210568.exe
 Contains functionality to call native functions Show sources