Loading ...

Play interactive tourEdit tour

Analysis Report http___192.3.141.164_mal_win32.exe

Overview

General Information

Sample Name:http___192.3.141.164_mal_win32.exe
Analysis ID:433488
MD5:b9032e2b7b07123f625f5d9e6e4f4796
SHA1:a06bcdf6aab7fb82dad340465035549cd853e047
SHA256:120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dragonpalcenk.com/k8n/"], "decoy": ["foxynailserie.com", "thenoyzees.com", "waterrising.xyz", "allmister.com", "theguyscave.com", "erkitap.com", "spyder-club.com", "raskrutisam.com", "giantledlights.com", "wowbeautynails.com", "youmovies.site", "abjms.com", "enso-solutions.com", "seasonalcampgroundsmn.com", "lukeprater.com", "mufasacapital.com", "idi360.com", "mask-cleaner.com", "aeruswilmde.com", "venkatlifecoach.com", "crochetandgabbana.com", "onlineshreecollection.com", "gwenythportillowightman.com", "nexuspropertycare.com", "progress.solutions", "parkerut.com", "achebones.com", "jiazhengfu.com", "chlamydiadeetz.com", "thiele-concept.com", "bayareataxattorney.com", "geopainterdecorators.com", "makemybuild.com", "headsleepinstrument.online", "finevinum.com", "alphaworkoutgear.com", "8765pk.com", "rikonchat.com", "gitchat.net", "showy1.net", "tellurideminer.com", "triliumbrewing.com", "fioriapartment.com", "salubrigems.com", "sctsmney.com", "betgobar1.com", "thomaspurcell.com", "araket.com", "parisfilmfestival.online", "treepik.com", "artemisnaturalhealing.com", "littlehouseofhoarders.com", "buyselllm.com", "levnakava.com", "mygolfbetter.com", "vinlancer.com", "beetalkmobile.press", "gocampultralightmattress.com", "direk99.net", "nivxros.com", "cbgdenver.com", "datarock.net", "docondemand.net", "smithvilletexashistory.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xc1268:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xc14e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xcd005:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xccaf1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xcd107:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xcd27f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xc1efa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0xcbd6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xc2bf3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xd2ca7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xd3caa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xcfd89:$sqlite3step: 68 34 1C 7B E1
    • 0xcfe9c:$sqlite3step: 68 34 1C 7B E1
    • 0xcfdb8:$sqlite3text: 68 38 2A 90 C5
    • 0xcfedd:$sqlite3text: 68 38 2A 90 C5
    • 0xcfdcb:$sqlite3blob: 68 53 D8 7F 8C
    • 0xcfef3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x17e728:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x17e9a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x18a4c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x189fb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x18a5c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x18a73f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x17f3ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x18922c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1800b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x190167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19116a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.dragonpalcenk.com/k8n/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dragonpalcenk.com/k8n/"], "decoy": ["foxynailserie.com", "thenoyzees.com", "waterrising.xyz", "allmister.com", "theguyscave.com", "erkitap.com", "spyder-club.com", "raskrutisam.com", "giantledlights.com", "wowbeautynails.com", "youmovies.site", "abjms.com", "enso-solutions.com", "seasonalcampgroundsmn.com", "lukeprater.com", "mufasacapital.com", "idi360.com", "mask-cleaner.com", "aeruswilmde.com", "venkatlifecoach.com", "crochetandgabbana.com", "onlineshreecollection.com", "gwenythportillowightman.com", "nexuspropertycare.com", "progress.solutions", "parkerut.com", "achebones.com", "jiazhengfu.com", "chlamydiadeetz.com", "thiele-concept.com", "bayareataxattorney.com", "geopainterdecorators.com", "makemybuild.com", "headsleepinstrument.online", "finevinum.com", "alphaworkoutgear.com", "8765pk.com", "rikonchat.com", "gitchat.net", "showy1.net", "tellurideminer.com", "triliumbrewing.com", "fioriapartment.com", "salubrigems.com", "sctsmney.com", "betgobar1.com", "thomaspurcell.com", "araket.com", "parisfilmfestival.online", "treepik.com", "artemisnaturalhealing.com", "littlehouseofhoarders.com", "buyselllm.com", "levnakava.com", "mygolfbetter.com", "vinlancer.com", "beetalkmobile.press", "gocampultralightmattress.com", "direk99.net", "nivxros.com", "cbgdenver.com", "datarock.net", "docondemand.net", "smithvilletexashistory.com"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.dragonpalcenk.com/k8n/Virustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: http___192.3.141.164_mal_win32.exeVirustotal: Detection: 47%Perma Link
          Source: http___192.3.141.164_mal_win32.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: http___192.3.141.164_mal_win32.exeJoe Sandbox ML: detected
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: StoreApplicationReference.pdb source: http___192.3.141.164_mal_win32.exe
          Source: Binary string: wntdll.pdbUGP source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652122895.0000000001630000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: http___192.3.141.164_mal_win32.exe
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04572810
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04573F30
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04573F22
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04572806

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.dragonpalcenk.com/k8n/
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651915151.0000000002531000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651503963.00000000008FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419D60 NtCreateFile,2_2_00419D60
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419E10 NtReadFile,2_2_00419E10
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419E90 NtClose,2_2_00419E90
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,2_2_00419F40
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419D5B NtCreateFile,2_2_00419D5B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419E0A NtReadFile,2_2_00419E0A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419F3A NtAllocateVirtualMemory,2_2_00419F3A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01699860
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01699660
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016996E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_016996E0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699950 NtQueueApcThread,2_2_01699950
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699910 NtAdjustPrivilegesToken,2_2_01699910
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016999D0 NtCreateProcessEx,2_2_016999D0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016999A0 NtCreateSection,2_2_016999A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169B040 NtSuspendThread,2_2_0169B040
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699840 NtDelayExecution,2_2_01699840
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699820 NtEnumerateKey,2_2_01699820
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016998F0 NtReadVirtualMemory,2_2_016998F0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016998A0 NtWriteVirtualMemory,2_2_016998A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699B00 NtSetValueKey,2_2_01699B00
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169A3B0 NtGetContextThread,2_2_0169A3B0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A50 NtCreateFile,2_2_01699A50
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A20 NtResumeThread,2_2_01699A20
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A00 NtProtectVirtualMemory,2_2_01699A00
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A10 NtQuerySection,2_2_01699A10
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A80 NtOpenDirectoryObject,2_2_01699A80
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699560 NtWriteFile,2_2_01699560
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699540 NtReadFile,2_2_01699540
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699520 NtWaitForSingleObject,2_2_01699520
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169AD30 NtSetContextThread,2_2_0169AD30
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016995F0 NtQueryInformationFile,2_2_016995F0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016995D0 NtClose,2_2_016995D0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699760 NtOpenProcess,2_2_01699760
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169A770 NtOpenThread,2_2_0169A770
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699770 NtSetInformationFile,2_2_01699770
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699730 NtQueryVirtualMemory,2_2_01699730
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699710 NtQueryInformationToken,2_2_01699710
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169A710 NtOpenProcessToken,2_2_0169A710
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699FE0 NtCreateMutant,2_2_01699FE0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016997A0 NtUnmapViewOfSection,2_2_016997A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699780 NtMapViewOfSection,2_2_01699780
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699670 NtQueryInformationProcess,2_2_01699670
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699650 NtQueryValueKey,2_2_01699650
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699610 NtEnumerateValueKey,2_2_01699610
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016996D0 NtCreateKey,2_2_016996D0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9B3F70_2_00A9B3F7
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A99B080_2_00A99B08
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9C7A80_2_00A9C7A8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9E8800_2_00A9E880
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9B0340_2_00A9B034
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04571C900_2_04571C90
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045716A80_2_045716A8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045700400_2_04570040
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045700060_2_04570006
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045702720_2_04570272
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045702AF0_2_045702AF
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A5E2D00_2_04A5E2D0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A561390_2_04A56139
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A561480_2_04A56148
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A563870_2_04A56387
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A563980_2_04A56398
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A5DD200_2_04A5DD20
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A79D300_2_04A79D30
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A79D1F0_2_04A79D1F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A79F9B0_2_04A79F9B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041D0C72_2_0041D0C7
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041D8EC2_2_0041D8EC
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041E24D2_2_0041E24D
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041E5B32_2_0041E5B3
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016741202_2_01674120
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0165F9002_2_0165F900
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166C1C02_2_0166C1C0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016799BF2_2_016799BF
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016729902_2_01672990
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0172E8242_2_0172E824
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167A8302_2_0167A830
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016568002_2_01656800
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017110022_2_01711002
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168701D2_2_0168701D
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017160F52_2_017160F5
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016588E02_2_016588E0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017228EC2_2_017228EC
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016820A02_2_016820A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017220A82_2_017220A8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166B0902_2_0166B090
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016733602_2_01673360
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016FCB4F2_2_016FCB4F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167AB402_2_0167AB40
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01722B282_2_01722B28
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171231B2_2_0171231B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167A3092_2_0167A309
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016A8BE82_2_016A8BE8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017023E32_2_017023E3
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171DBD22_2_0171DBD2
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017103DA2_2_017103DA
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168ABD82_2_0168ABD8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168EBB02_2_0168EBB0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168138B2_2_0168138B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016FEB8A2_2_016FEB8A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167EB9A2_2_0167EB9A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01715A4F2_2_01715A4F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167B2362_2_0167B236
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0170FA2B2_2_0170FA2B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01714AEF2_2_01714AEF
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171E2C52_2_0171E2C5
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017232A92_2_017232A9
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017222AE2_2_017222AE
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01721D552_2_01721D55
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01672D502_2_01672D50
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01650D202_2_01650D20
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01722D072_2_01722D07
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166D5E02_2_0166D5E0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017225DD2_2_017225DD
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016865A02_2_016865A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016825812_2_01682581
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01712D822_2_01712D82
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171CC772_2_0171CC77
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167B4772_2_0167B477
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171D4662_2_0171D466
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016724302_2_01672430
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166841F2_2_0166841F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01684CD42_2_01684CD4
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017144962_2_01714496
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01721FF12_2_01721FF1
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017167E22_2_017167E2
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0172DFCE2_2_0172DFCE
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016596602_2_01659660
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016DAE602_2_016DAE60
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01676E302_2_01676E30
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171D6162_2_0171D616
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016756002_2_01675600
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01722EF72_2_01722EF7
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016806C02_2_016806C0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01701EB62_2_01701EB6
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: String function: 016AD08C appears 48 times
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: String function: 016E5720 appears 85 times
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: String function: 0165B150 appears 177 times
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000000.643959783.00000000001BE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651503963.00000000008FB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.651934783.0000000000C7E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652453473.00000000018DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exeBinary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\http___192.3.141.164_mal_win32.exe.logJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeMutant created: \Sessions\1\BaseNamedObjects\GKapfmVVaikxxFVRiaOpWaNVOHp
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: http___192.3.141.164_mal_win32.exeVirustotal: Detection: 47%
          Source: http___192.3.141.164_mal_win32.exeReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe 'C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe'
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: StoreApplicationReference.pdb source: http___192.3.141.164_mal_win32.exe
          Source: Binary string: wntdll.pdbUGP source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652122895.0000000001630000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: http___192.3.141.164_mal_win32.exe

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9EBE8 pushad ; ret 0_2_00A9EBE9
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045703E8 push edx; ret 0_2_045703E9
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A72404 push E802005Eh; ret 0_2_04A72409
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A72991 pushad ; ret 0_2_04A729A3
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00417849 push cs; retf 2_2_0041786A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0040795D push ebx; ret 2_2_00407984
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041E24D push dword ptr [2E33947Ah]; ret 2_2_0041E24B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00416500 push 00000038h; ret 2_2_00416503
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041DFD6 push dword ptr [2E33947Ah]; ret 2_2_0041E24B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041DFE0 push dword ptr [2E33947Ah]; ret 2_2_0041E24B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016AD0D1 push ecx; ret 2_2_016AD0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.84856370561
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'gZbDAg', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX