Loading ...

Play interactive tourEdit tour

Analysis Report XhU4EXUp0x.exe

Overview

General Information

Sample Name:XhU4EXUp0x.exe
Analysis ID:433531
MD5:49c83eceb8a816b959a778e5f2e78801
SHA1:ead9055c813de47edfec5bc46a0d896df4b4af2e
SHA256:2f4d0e2ce90ab2c35dcba4c85e38346eae6ac2cef0f939ccdd21cade4d6343ca
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • XhU4EXUp0x.exe (PID: 6968 cmdline: 'C:\Users\user\Desktop\XhU4EXUp0x.exe' MD5: 49C83ECEB8A816B959A778E5F2E78801)
    • XhU4EXUp0x.exe (PID: 6076 cmdline: C:\Users\user\Desktop\XhU4EXUp0x.exe MD5: 49C83ECEB8A816B959A778E5F2E78801)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6340 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 3416 cmdline: /c del 'C:\Users\user\Desktop\XhU4EXUp0x.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.XhU4EXUp0x.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.XhU4EXUp0x.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.XhU4EXUp0x.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        3.0.XhU4EXUp0x.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.XhU4EXUp0x.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: XhU4EXUp0x.exeVirustotal: Detection: 21%Perma Link
          Source: XhU4EXUp0x.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: XhU4EXUp0x.exeJoe Sandbox ML: detected
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: XhU4EXUp0x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: XhU4EXUp0x.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\YfQkSBryuS\src\obj\Debug\ProfileOptimization.pdb source: XhU4EXUp0x.exe
          Source: Binary string: wntdll.pdbUGP source: XhU4EXUp0x.exe, 00000003.00000002.707641443.0000000001930000.00000040.00000001.sdmp, raserver.exe, 0000000C.00000002.912987032.0000000004BFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: XhU4EXUp0x.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: RAServer.pdbGCTL source: XhU4EXUp0x.exe, 00000003.00000002.707590458.000000000169A000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.669343721.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B4EB2F0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B4EBD68
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B4EB2E1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 4x nop then pop edi3_2_0040E442
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi12_2_00A9E442

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.yellow-wink.com/nff/
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1Host: www.rsyueda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 66.235.200.146 66.235.200.146
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SEA-10US LEASEWEB-USA-SEA-10US
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8IkF2PxixF5c&7nSX=f2MHEhOHwH HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nff/?2dWD=rcekcafpraO0sj/oaoDcLlLwOdzHntpmaKyMQqwrcrTR8fOv+tmqTlrKj/r2WTcjy7/L&7nSX=f2MHEhOHwH HTTP/1.1Host: www.rsyueda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.gentrypartyof8.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: XhU4EXUp0x.exe, 00000000.00000002.653505336.00000000026B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.660621066.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.681251721.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: XhU4EXUp0x.exe, 00000000.00000002.653535453.00000000026EF000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: XhU4EXUp0x.exe, 00000000.00000002.653237651.00000000009F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.654291332.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.707426607.0000000001600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.XhU4EXUp0x.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.XhU4EXUp0x.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.XhU4EXUp0x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.XhU4EXUp0x.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419D50 NtCreateFile,3_2_00419D50
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E00 NtReadFile,3_2_00419E00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E80 NtClose,3_2_00419E80
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419F30 NtAllocateVirtualMemory,3_2_00419F30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419DA9 NtReadFile,3_2_00419DA9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419E7A NtClose,3_2_00419E7A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00419F2D NtAllocateVirtualMemory,3_2_00419F2D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019999A0 NtCreateSection,LdrInitializeThunk,3_2_019999A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01999910
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019998F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_019998F0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999840 NtDelayExecution,LdrInitializeThunk,3_2_01999840
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01999860
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01999A00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A20 NtResumeThread,LdrInitializeThunk,3_2_01999A20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A50 NtCreateFile,LdrInitializeThunk,3_2_01999A50
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019995D0 NtClose,LdrInitializeThunk,3_2_019995D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999540 NtReadFile,LdrInitializeThunk,3_2_01999540
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999780 NtMapViewOfSection,LdrInitializeThunk,3_2_01999780
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019997A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_019997A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999710 NtQueryInformationToken,LdrInitializeThunk,3_2_01999710
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019996E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019996E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01999660
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019999D0 NtCreateProcessEx,3_2_019999D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999950 NtQueueApcThread,3_2_01999950
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019998A0 NtWriteVirtualMemory,3_2_019998A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999820 NtEnumerateKey,3_2_01999820
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199B040 NtSuspendThread,3_2_0199B040
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A3B0 NtGetContextThread,3_2_0199A3B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999B00 NtSetValueKey,3_2_01999B00
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A80 NtOpenDirectoryObject,3_2_01999A80
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999A10 NtQuerySection,3_2_01999A10
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019995F0 NtQueryInformationFile,3_2_019995F0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199AD30 NtSetContextThread,3_2_0199AD30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999520 NtWaitForSingleObject,3_2_01999520
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999560 NtWriteFile,3_2_01999560
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999FE0 NtCreateMutant,3_2_01999FE0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A710 NtOpenProcessToken,3_2_0199A710
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999730 NtQueryVirtualMemory,3_2_01999730
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0199A770 NtOpenThread,3_2_0199A770
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999770 NtSetInformationFile,3_2_01999770
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999760 NtOpenProcess,3_2_01999760
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019996D0 NtCreateKey,3_2_019996D0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999610 NtEnumerateValueKey,3_2_01999610
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999650 NtQueryValueKey,3_2_01999650
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01999670 NtQueryInformationProcess,3_2_01999670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B495D0 NtClose,LdrInitializeThunk,12_2_04B495D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49540 NtReadFile,LdrInitializeThunk,12_2_04B49540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B496E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04B496E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B496D0 NtCreateKey,LdrInitializeThunk,12_2_04B496D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04B49660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49650 NtQueryValueKey,LdrInitializeThunk,12_2_04B49650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49780 NtMapViewOfSection,LdrInitializeThunk,12_2_04B49780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49FE0 NtCreateMutant,LdrInitializeThunk,12_2_04B49FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49710 NtQueryInformationToken,LdrInitializeThunk,12_2_04B49710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04B49860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49840 NtDelayExecution,LdrInitializeThunk,12_2_04B49840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B499A0 NtCreateSection,LdrInitializeThunk,12_2_04B499A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04B49910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A50 NtCreateFile,LdrInitializeThunk,12_2_04B49A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B495F0 NtQueryInformationFile,12_2_04B495F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4AD30 NtSetContextThread,12_2_04B4AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49520 NtWaitForSingleObject,12_2_04B49520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49560 NtWriteFile,12_2_04B49560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49610 NtEnumerateValueKey,12_2_04B49610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49670 NtQueryInformationProcess,12_2_04B49670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B497A0 NtUnmapViewOfSection,12_2_04B497A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49730 NtQueryVirtualMemory,12_2_04B49730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A710 NtOpenProcessToken,12_2_04B4A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A770 NtOpenThread,12_2_04B4A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49770 NtSetInformationFile,12_2_04B49770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49760 NtOpenProcess,12_2_04B49760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B498A0 NtWriteVirtualMemory,12_2_04B498A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B498F0 NtReadVirtualMemory,12_2_04B498F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49820 NtEnumerateKey,12_2_04B49820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4B040 NtSuspendThread,12_2_04B4B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B499D0 NtCreateProcessEx,12_2_04B499D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49950 NtQueueApcThread,12_2_04B49950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A80 NtOpenDirectoryObject,12_2_04B49A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A20 NtResumeThread,12_2_04B49A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A10 NtQuerySection,12_2_04B49A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49A00 NtProtectVirtualMemory,12_2_04B49A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B4A3B0 NtGetContextThread,12_2_04B4A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B49B00 NtSetValueKey,12_2_04B49B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9D50 NtCreateFile,12_2_00AA9D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E80 NtClose,12_2_00AA9E80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E00 NtReadFile,12_2_00AA9E00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9F30 NtAllocateVirtualMemory,12_2_00AA9F30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9DA9 NtReadFile,12_2_00AA9DA9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9E7A NtClose,12_2_00AA9E7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AA9F2D NtAllocateVirtualMemory,12_2_00AA9F2D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5FB200_2_00B5FB20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5C2B00_2_00B5C2B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B594B00_2_00B594B0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_00B5F73D0_2_00B5F73D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E4E580_2_0B4E4E58
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8E6A0_2_0B4E8E6A
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4EBD680_2_0B4EBD68
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E65780_2_0B4E6578
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4EA52C0_2_0B4EA52C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E45880_2_0B4E4588
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E42400_2_0B4E4240
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E88900_2_0B4E8890
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E88A00_2_0B4E88A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8E5E0_2_0B4E8E5E
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8EEC0_2_0B4E8EEC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8C8C0_2_0B4E8C8C
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 0_2_0B4E8C980_2_0B4E8C98
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D0693_2_0041D069
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DA973_2_0041DA97
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041D5C93_2_0041D5C9
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402D8D3_2_00402D8D
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409E2B3_2_00409E2B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00409E303_2_00409E30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0041DF793_2_0041DF79
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019799BF3_2_019799BF
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0195F9003_2_0195F900
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019741203_2_01974120
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196B0903_2_0196B090
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A220A83_2_01A220A8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019820A03_2_019820A0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A228EC3_2_01A228EC
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2E8243_2_01A2E824
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A110023_2_01A11002
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A8303_2_0197A830
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198EBB03_2_0198EBB0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0198ABD83_2_0198ABD8
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1DBD23_2_01A1DBD2
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A103DA3_2_01A103DA
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22B283_2_01A22B28
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197A3093_2_0197A309
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0197AB403_2_0197AB40
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A222AE3_2_01A222AE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A0FA2B3_2_01A0FA2B
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_019825813_2_01982581
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196D5E03_2_0196D5E0
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A225DD3_2_01A225DD
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22D073_2_01A22D07
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01950D203_2_01950D20
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21D553_2_01A21D55
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_0196841F3_2_0196841F
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1D4663_2_01A1D466
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A21FF13_2_01A21FF1
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A2DFCE3_2_01A2DFCE
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A22EF73_2_01A22EF7
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01976E303_2_01976E30
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: 3_2_01A1D6163_2_01A1D616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC449612_2_04BC4496
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1841F12_2_04B1841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCD46612_2_04BCD466
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3258112_2_04B32581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC2D8212_2_04BC2D82
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1D5E012_2_04B1D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD25DD12_2_04BD25DD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B00D2012_2_04B00D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2D0712_2_04BD2D07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD1D5512_2_04BD1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2EF712_2_04BD2EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B26E3012_2_04B26E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCD61612_2_04BCD616
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD1FF112_2_04BD1FF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BDDFCE12_2_04BDDFCE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B320A012_2_04B320A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD20A812_2_04BD20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B1B09012_2_04B1B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD28EC12_2_04BD28EC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2A83012_2_04B2A830
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BDE82412_2_04BDE824
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC100212_2_04BC1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B299BF12_2_04B299BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2412012_2_04B24120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B0F90012_2_04B0F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD22AE12_2_04BD22AE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC4AEF12_2_04BC4AEF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BBFA2B12_2_04BBFA2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3EBB012_2_04B3EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BB23E312_2_04BB23E3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BC03DA12_2_04BC03DA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B3ABD812_2_04B3ABD8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BCDBD212_2_04BCDBD2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04BD2B2812_2_04BD2B28
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2A30912_2_04B2A309
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_04B2AB4012_2_04B2AB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AAD06912_2_00AAD069
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AADA9712_2_00AADA97
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92D8D12_2_00A92D8D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92D9012_2_00A92D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A99E2B12_2_00A99E2B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A99E3012_2_00A99E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00A92FB012_2_00A92FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 12_2_00AADF7912_2_00AADF79
          Source: C:\Users\user\Desktop\XhU4EXUp0x.exeCode function: String function: 0195B150 appears 87 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04B0B150 appears 133 times
          Source: XhU4EXUp0x.exe, 00000000.00000002.657834635.0000000005920000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000000.00000000.643332701.0000000000420000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000000.00000002.653237651.00000000009F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.707120497.0000000000F40000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.707570278.0000000001689000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exe, 00000003.00000002.708280098.0000000001BDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exeBinary or memory string: OriginalFilenameProfileOptimization.exe8 vs XhU4EXUp0x.exe
          Source: XhU4EXUp0x.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.707404802.00000000015D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.652221131.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.911907238.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.912137473.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.912162573.0000000000EB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.655856649.00000000037F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.706990052.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacod