Loading ...

Play interactive tourEdit tour

Analysis Report http___192.3.141.164_mal_win32.exe

Overview

General Information

Sample Name:http___192.3.141.164_mal_win32.exe
Analysis ID:433488
MD5:b9032e2b7b07123f625f5d9e6e4f4796
SHA1:a06bcdf6aab7fb82dad340465035549cd853e047
SHA256:120ff2a109c01e38da86b9ce61c33906f6ddcea90a2fdf7ea3a67b08a271029c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dragonpalcenk.com/k8n/"], "decoy": ["foxynailserie.com", "thenoyzees.com", "waterrising.xyz", "allmister.com", "theguyscave.com", "erkitap.com", "spyder-club.com", "raskrutisam.com", "giantledlights.com", "wowbeautynails.com", "youmovies.site", "abjms.com", "enso-solutions.com", "seasonalcampgroundsmn.com", "lukeprater.com", "mufasacapital.com", "idi360.com", "mask-cleaner.com", "aeruswilmde.com", "venkatlifecoach.com", "crochetandgabbana.com", "onlineshreecollection.com", "gwenythportillowightman.com", "nexuspropertycare.com", "progress.solutions", "parkerut.com", "achebones.com", "jiazhengfu.com", "chlamydiadeetz.com", "thiele-concept.com", "bayareataxattorney.com", "geopainterdecorators.com", "makemybuild.com", "headsleepinstrument.online", "finevinum.com", "alphaworkoutgear.com", "8765pk.com", "rikonchat.com", "gitchat.net", "showy1.net", "tellurideminer.com", "triliumbrewing.com", "fioriapartment.com", "salubrigems.com", "sctsmney.com", "betgobar1.com", "thomaspurcell.com", "araket.com", "parisfilmfestival.online", "treepik.com", "artemisnaturalhealing.com", "littlehouseofhoarders.com", "buyselllm.com", "levnakava.com", "mygolfbetter.com", "vinlancer.com", "beetalkmobile.press", "gocampultralightmattress.com", "direk99.net", "nivxros.com", "cbgdenver.com", "datarock.net", "docondemand.net", "smithvilletexashistory.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xc1268:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xc14e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xcd005:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xccaf1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xcd107:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xcd27f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xc1efa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0xcbd6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xc2bf3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xd2ca7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xd3caa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xcfd89:$sqlite3step: 68 34 1C 7B E1
    • 0xcfe9c:$sqlite3step: 68 34 1C 7B E1
    • 0xcfdb8:$sqlite3text: 68 38 2A 90 C5
    • 0xcfedd:$sqlite3text: 68 38 2A 90 C5
    • 0xcfdcb:$sqlite3blob: 68 53 D8 7F 8C
    • 0xcfef3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x17e728:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x17e9a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x18a4c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x189fb1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x18a5c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x18a73f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x17f3ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x18922c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1800b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x190167:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19116a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.dragonpalcenk.com/k8n/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dragonpalcenk.com/k8n/"], "decoy": ["foxynailserie.com", "thenoyzees.com", "waterrising.xyz", "allmister.com", "theguyscave.com", "erkitap.com", "spyder-club.com", "raskrutisam.com", "giantledlights.com", "wowbeautynails.com", "youmovies.site", "abjms.com", "enso-solutions.com", "seasonalcampgroundsmn.com", "lukeprater.com", "mufasacapital.com", "idi360.com", "mask-cleaner.com", "aeruswilmde.com", "venkatlifecoach.com", "crochetandgabbana.com", "onlineshreecollection.com", "gwenythportillowightman.com", "nexuspropertycare.com", "progress.solutions", "parkerut.com", "achebones.com", "jiazhengfu.com", "chlamydiadeetz.com", "thiele-concept.com", "bayareataxattorney.com", "geopainterdecorators.com", "makemybuild.com", "headsleepinstrument.online", "finevinum.com", "alphaworkoutgear.com", "8765pk.com", "rikonchat.com", "gitchat.net", "showy1.net", "tellurideminer.com", "triliumbrewing.com", "fioriapartment.com", "salubrigems.com", "sctsmney.com", "betgobar1.com", "thomaspurcell.com", "araket.com", "parisfilmfestival.online", "treepik.com", "artemisnaturalhealing.com", "littlehouseofhoarders.com", "buyselllm.com", "levnakava.com", "mygolfbetter.com", "vinlancer.com", "beetalkmobile.press", "gocampultralightmattress.com", "direk99.net", "nivxros.com", "cbgdenver.com", "datarock.net", "docondemand.net", "smithvilletexashistory.com"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.dragonpalcenk.com/k8n/Virustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: http___192.3.141.164_mal_win32.exeVirustotal: Detection: 47%Perma Link
          Source: http___192.3.141.164_mal_win32.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: http___192.3.141.164_mal_win32.exeJoe Sandbox ML: detected
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: StoreApplicationReference.pdb source: http___192.3.141.164_mal_win32.exe
          Source: Binary string: wntdll.pdbUGP source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652122895.0000000001630000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: http___192.3.141.164_mal_win32.exe
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.dragonpalcenk.com/k8n/
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651915151.0000000002531000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651503963.00000000008FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419D5B NtCreateFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419E0A NtReadFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00419F3A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699910 NtAdjustPrivilegesToken,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016999D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016999A0 NtCreateSection,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699840 NtDelayExecution,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016998F0 NtReadVirtualMemory,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016998A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A50 NtCreateFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A20 NtResumeThread,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A00 NtProtectVirtualMemory,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A10 NtQuerySection,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699560 NtWriteFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699540 NtReadFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016995F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016995D0 NtClose,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699760 NtOpenProcess,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169A770 NtOpenThread,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699710 NtQueryInformationToken,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0169A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016997A0 NtUnmapViewOfSection,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699780 NtMapViewOfSection,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016996D0 NtCreateKey,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9B3F7
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A99B08
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9C7A8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9E880
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9B034
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04571C90
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045716A8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04570040
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04570006
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04570272
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045702AF
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A5E2D0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A56139
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A56148
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A56387
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A56398
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A5DD20
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A79D30
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A79D1F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A79F9B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041D0C7
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041D8EC
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041E24D
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041E5B3
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01674120
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0165F900
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166C1C0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016799BF
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01672990
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0172E824
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167A830
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01656800
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01711002
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168701D
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017160F5
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016588E0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017228EC
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016820A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017220A8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166B090
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01673360
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016FCB4F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167AB40
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01722B28
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171231B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167A309
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016A8BE8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017023E3
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171DBD2
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017103DA
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168ABD8
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168EBB0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0168138B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016FEB8A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167EB9A
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01715A4F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167B236
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0170FA2B
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01714AEF
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171E2C5
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017232A9
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017222AE
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01721D55
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01672D50
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01650D20
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01722D07
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166D5E0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017225DD
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016865A0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01682581
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01712D82
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171CC77
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0167B477
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171D466
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01672430
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0166841F
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01684CD4
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01714496
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01721FF1
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_017167E2
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0172DFCE
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01659660
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016DAE60
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01676E30
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171D616
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01675600
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01722EF7
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016806C0
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01701EB6
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: String function: 016AD08C appears 48 times
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: String function: 016E5720 appears 85 times
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: String function: 0165B150 appears 177 times
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000000.643959783.00000000001BE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651503963.00000000008FB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.651934783.0000000000C7E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652453473.00000000018DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exeBinary or memory string: OriginalFilenameStoreApplicationReference.exe< vs http___192.3.141.164_mal_win32.exe
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.652273897.0000000003539000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.652401187.0000000003671000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.650151759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.651750558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.http___192.3.141.164_mal_win32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.http___192.3.141.164_mal_win32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\http___192.3.141.164_mal_win32.exe.logJump to behavior
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeMutant created: \Sessions\1\BaseNamedObjects\GKapfmVVaikxxFVRiaOpWaNVOHp
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: http___192.3.141.164_mal_win32.exeVirustotal: Detection: 47%
          Source: http___192.3.141.164_mal_win32.exeReversingLabs: Detection: 28%
          Source: unknownProcess created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe 'C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe'
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess created: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: http___192.3.141.164_mal_win32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: StoreApplicationReference.pdb source: http___192.3.141.164_mal_win32.exe
          Source: Binary string: wntdll.pdbUGP source: http___192.3.141.164_mal_win32.exe, 00000002.00000002.652122895.0000000001630000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: http___192.3.141.164_mal_win32.exe

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs.Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_00A9EBE8 pushad ; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_045703E8 push edx; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A72404 push E802005Eh; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 0_2_04A72991 pushad ; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00417849 push cs; retf
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0040795D push ebx; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041E24D push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00416500 push 00000038h; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041DFD6 push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0041DFE0 push dword ptr [2E33947Ah]; ret
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_016AD0D1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.84856370561
          Source: http___192.3.141.164_mal_win32.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: '.cctor', 'gZbDAg', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: http___192.3.141.164_mal_win32.exe PID: 5924, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe TID: 6440Thread sleep time: -102947s >= -30000s
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exe TID: 5852Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeThread delayed: delay time: 102947
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeThread delayed: delay time: 922337203685477
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: http___192.3.141.164_mal_win32.exe, 00000000.00000002.651977772.000000000256F000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01699860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0165C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0171E962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0165B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_0165B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01728966 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\http___192.3.141.164_mal_win32.exeCode function: 2_2_01711