Analysis Report http___192.3.141.164_mal_win32.exe

Overview

General Information

Sample Name:	http___192.3.141.164_mal_win32.exe
Analysis ID:	433488
MD5:	b9032e2b7b07123f625f5d9e6e4f4796
SHA1:	a06bcdf6aab7fb82dad340465035549cd853e047
SHA256:	120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: www.dragonpalcenk.com/k8n/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.dragonpalcenk.com/k8n/"], "decoy": ["foxynailserie.com", "thenoyzees.com", "waterrising.xyz", "allmister.com", "theguyscave.com", "erkitap.com", "spyder-club.com", "raskrutisam.com", "giantledlights.com", "wowbeautynails.com", "youmovies.site", "abjms.com", "enso-solutions.com", "seasonalcampgroundsmn.com", "lukeprater.com", "mufasacapital.com", "idi360.com", "mask-cleaner.com", "aeruswilmde.com", "venkatlifecoach.com", "crochetandgabbana.com", "onlineshreecollection.com", "gwenythportillowightman.com", "nexuspropertycare.com", "progress.solutions", "parkerut.com", "achebones.com", "jiazhengfu.com", "chlamydiadeetz.com", "thiele-concept.com", "bayareataxattorney.com", "geopainterdecorators.com", "makemybuild.com", "headsleepinstrument.online", "finevinum.com", "alphaworkoutgear.com", "8765pk.com", "rikonchat.com", "gitchat.net", "showy1.net", "tellurideminer.com", "triliumbrewing.com", "fioriapartment.com", "salubrigems.com", "sctsmney.com", "betgobar1.com", "thomaspurcell.com", "araket.com", "parisfilmfestival.online", "treepik.com", "artemisnaturalhealing.com", "littlehouseofhoarders.com", "buyselllm.com", "levnakava.com", "mygolfbetter.com", "vinlancer.com", "beetalkmobile.press", "gocampultralightmattress.com", "direk99.net", "nivxros.com", "cbgdenver.com", "datarock.net", "docondemand.net", "smithvilletexashistory.com"]}

Multi AV Scanner detection for domain / URL

Source: www.dragonpalcenk.com/k8n/

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for submitted file

Source: http___192.3.141.164_mal_win32.exe	Virustotal: Detection: 47%			Perma Link
Source: http___192.3.141.164_mal_win32.exe	ReversingLabs: Detection: 28%

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: http___192.3.141.164_mal_win32.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: http___192.3.141.164_mal_win32.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: http___192.3.141.164_mal_win32.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: StoreApplicationReference.pdb source: http___192.3.141.164_mal_win32.exe
Source:	Binary string: wntdll.pdbUGP source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652122895.0000000001630000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: http___192.3.141.164_mal_win32.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04572810
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04573F30
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04573F22
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_04572806

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.dragonpalcenk.com/k8n/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651915151.0000000002531000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651503963.00000000008FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419D60 NtCreateFile,	2_2_00419D60
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419E10 NtReadFile,	2_2_00419E10
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419E90 NtClose,	2_2_00419E90
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419F40 NtAllocateVirtualMemory,	2_2_00419F40
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419D5B NtCreateFile,	2_2_00419D5B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419E0A NtReadFile,	2_2_00419E0A
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00419F3A NtAllocateVirtualMemory,	2_2_00419F3A
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_01699860
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_01699660
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016996E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_016996E0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699950 NtQueueApcThread,	2_2_01699950
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699910 NtAdjustPrivilegesToken,	2_2_01699910
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016999D0 NtCreateProcessEx,	2_2_016999D0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016999A0 NtCreateSection,	2_2_016999A0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0169B040 NtSuspendThread,	2_2_0169B040
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699840 NtDelayExecution,	2_2_01699840
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699820 NtEnumerateKey,	2_2_01699820
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016998F0 NtReadVirtualMemory,	2_2_016998F0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016998A0 NtWriteVirtualMemory,	2_2_016998A0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699B00 NtSetValueKey,	2_2_01699B00
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0169A3B0 NtGetContextThread,	2_2_0169A3B0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699A50 NtCreateFile,	2_2_01699A50
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699A20 NtResumeThread,	2_2_01699A20
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699A00 NtProtectVirtualMemory,	2_2_01699A00
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699A10 NtQuerySection,	2_2_01699A10
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699A80 NtOpenDirectoryObject,	2_2_01699A80
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699560 NtWriteFile,	2_2_01699560
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699540 NtReadFile,	2_2_01699540
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699520 NtWaitForSingleObject,	2_2_01699520
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0169AD30 NtSetContextThread,	2_2_0169AD30
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016995F0 NtQueryInformationFile,	2_2_016995F0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016995D0 NtClose,	2_2_016995D0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699760 NtOpenProcess,	2_2_01699760
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0169A770 NtOpenThread,	2_2_0169A770
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699770 NtSetInformationFile,	2_2_01699770
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699730 NtQueryVirtualMemory,	2_2_01699730
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699710 NtQueryInformationToken,	2_2_01699710
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0169A710 NtOpenProcessToken,	2_2_0169A710
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699FE0 NtCreateMutant,	2_2_01699FE0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016997A0 NtUnmapViewOfSection,	2_2_016997A0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699780 NtMapViewOfSection,	2_2_01699780
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699670 NtQueryInformationProcess,	2_2_01699670
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699650 NtQueryValueKey,	2_2_01699650
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01699610 NtEnumerateValueKey,	2_2_01699610
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016996D0 NtCreateKey,	2_2_016996D0

Detected potential crypto function

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_00A9B3F7	0_2_00A9B3F7
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_00A99B08	0_2_00A99B08
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_00A9C7A8	0_2_00A9C7A8
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_00A9E880	0_2_00A9E880
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_00A9B034	0_2_00A9B034
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04571C90	0_2_04571C90
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_045716A8	0_2_045716A8
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04570040	0_2_04570040
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04570006	0_2_04570006
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04570272	0_2_04570272
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_045702AF	0_2_045702AF
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A5E2D0	0_2_04A5E2D0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A56139	0_2_04A56139
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A56148	0_2_04A56148
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A56387	0_2_04A56387
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A56398	0_2_04A56398
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A5DD20	0_2_04A5DD20
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A79D30	0_2_04A79D30
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A79D1F	0_2_04A79D1F
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A79F9B	0_2_04A79F9B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041D0C7	2_2_0041D0C7
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041D8EC	2_2_0041D8EC
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041E24D	2_2_0041E24D
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041E5B3	2_2_0041E5B3
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00409E40	2_2_00409E40
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01674120	2_2_01674120
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0165F900	2_2_0165F900
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0166C1C0	2_2_0166C1C0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016799BF	2_2_016799BF
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01672990	2_2_01672990
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0172E824	2_2_0172E824
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0167A830	2_2_0167A830
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01656800	2_2_01656800
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01711002	2_2_01711002
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0168701D	2_2_0168701D
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017160F5	2_2_017160F5
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016588E0	2_2_016588E0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017228EC	2_2_017228EC
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016820A0	2_2_016820A0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017220A8	2_2_017220A8
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0166B090	2_2_0166B090
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01673360	2_2_01673360
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016FCB4F	2_2_016FCB4F
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0167AB40	2_2_0167AB40
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01722B28	2_2_01722B28
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0171231B	2_2_0171231B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0167A309	2_2_0167A309
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016A8BE8	2_2_016A8BE8
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017023E3	2_2_017023E3
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0171DBD2	2_2_0171DBD2
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017103DA	2_2_017103DA
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0168ABD8	2_2_0168ABD8
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0168EBB0	2_2_0168EBB0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0168138B	2_2_0168138B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016FEB8A	2_2_016FEB8A
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0167EB9A	2_2_0167EB9A
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01715A4F	2_2_01715A4F
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0167B236	2_2_0167B236
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0170FA2B	2_2_0170FA2B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01714AEF	2_2_01714AEF
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0171E2C5	2_2_0171E2C5
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017232A9	2_2_017232A9
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017222AE	2_2_017222AE
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01721D55	2_2_01721D55
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01672D50	2_2_01672D50
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01650D20	2_2_01650D20
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01722D07	2_2_01722D07
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0166D5E0	2_2_0166D5E0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017225DD	2_2_017225DD
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016865A0	2_2_016865A0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01682581	2_2_01682581
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01712D82	2_2_01712D82
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0171CC77	2_2_0171CC77
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0167B477	2_2_0167B477
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0171D466	2_2_0171D466
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01672430	2_2_01672430
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0166841F	2_2_0166841F
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01684CD4	2_2_01684CD4
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01714496	2_2_01714496
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01721FF1	2_2_01721FF1
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_017167E2	2_2_017167E2
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0172DFCE	2_2_0172DFCE
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01659660	2_2_01659660
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016DAE60	2_2_016DAE60
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01676E30	2_2_01676E30
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0171D616	2_2_0171D616
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01675600	2_2_01675600
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01722EF7	2_2_01722EF7
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016806C0	2_2_016806C0
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_01701EB6	2_2_01701EB6

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: String function: 016AD08C appears 48 times
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: String function: 016E5720 appears 85 times
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: String function: 0165B150 appears 177 times

PE file contains strange resources

Source: http___192.3.141.164_mal_win32.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs http___192.3.141.164_mal_win32.exe
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000000.643959783.00000000001BE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651503963.00000000008FB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs http___192.3.141.164_mal_win32.exe
Source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.651934783.0000000000C7E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
Source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652453473.00000000018DF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs http___192.3.141.164_mal_win32.exe
Source: http___192.3.141.164_mal_win32.exe	Binary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe

Uses 32bit PE files

Source: http___192.3.141.164_mal_win32.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: http___192.3.141.164_mal_win32.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/1

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\http___192.3.141.164_mal_win32.exe.log

Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: unknown	Process created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe 'C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe'
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Jump to behavior

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_00A9EBE8 pushad ; ret	0_2_00A9EBE9
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_045703E8 push edx; ret	0_2_045703E9
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A72404 push E802005Eh; ret	0_2_04A72409
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 0_2_04A72991 pushad ; ret	0_2_04A729A3
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00417849 push cs; retf	2_2_0041786A
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0040795D push ebx; ret	2_2_00407984
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041E24D push dword ptr [2E33947Ah]; ret	2_2_0041E24B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_00416500 push 00000038h; ret	2_2_00416503
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041CEB5 push eax; ret	2_2_0041CF08
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041CF6C push eax; ret	2_2_0041CF72
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041CF02 push eax; ret	2_2_0041CF08
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041CF0B push eax; ret	2_2_0041CF72
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041DFD6 push dword ptr [2E33947Ah]; ret	2_2_0041E24B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_0041DFE0 push dword ptr [2E33947Ah]; ret	2_2_0041E24B
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Code function: 2_2_016AD0D1 push ecx; ret	2_2_016AD0E4

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: http___192.3.141.164_mal_win32.exe PID: 5924, type: MEMORY

Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe TID: 6440	Thread sleep time: -102947s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe TID: 5852	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Thread delayed: delay time: 102947			Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Queries volume information: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior

ID:	433488
Product:	CloudBasic
Start time:	02:05:22
Start date:	12.06.2021
Sample:	http___192.3.141.164_mal_win32.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	b9032e2b7b07123f625f5d9e6e4f4796
SHA1:	a06bcdf6aab7fb82dad340465035549cd853e047
SHA256:	120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Analysis Report http___192.3.141.164_mal_win32.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs