Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6KdTCZit4e.exe

Overview

General Information

Sample Name:6KdTCZit4e.exe
Analysis ID:452425
MD5:ed43ff447cd5486610731a627a930607
SHA1:91449c85fb2fa5d27f8db3c8c08cdfb9d3287162
SHA256:91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 6KdTCZit4e.exe (PID: 6568 cmdline: 'C:\Users\user\Desktop\6KdTCZit4e.exe' MD5: ED43FF447CD5486610731A627A930607)
    • 6KdTCZit4e.exe (PID: 6128 cmdline: C:\Users\user\Desktop\6KdTCZit4e.exe MD5: ED43FF447CD5486610731A627A930607)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6708 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 4972 cmdline: /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.6KdTCZit4e.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.6KdTCZit4e.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.6KdTCZit4e.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.6KdTCZit4e.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.6KdTCZit4e.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hometowncashbuyersgroup.com/kkt/"], "decoy": ["inspirafutebol.com", "customgiftshouston.com", "mycreativelending.com", "psplaystore.com", "newlivingsolutionshop.com", "dechefamsterdam.com", "servicingl0ans.com", "atsdholdings.com", "manifestarz.com", "sequenceanalytica.com", "gethealthcaresmart.com", "theartofsurprises.com", "pirateequitypatrick.com", "alliance-ce.com", "wingrushusa.com", "funtimespheres.com", "solevux.com", "antimasathya.com", "profitexcavator.com", "lankeboxshop.com", "aarthiramamurthy.com", "oldmopaiv.xyz", "mavispaguzellik.com", "milkamax.com", "sputnikvasisi.com", "gametoyou.com", "sisconbol.com", "thedreamcertificate.com", "vichy-menuiserie.com", "pv-step.com", "growingmindstrilingual.com", "tlcrentny.com", "jedshomebuilders.com", "curtailit.com", "integruschamber.com", "lanzamientosbimbocolombia.com", "tightlinesfishingco.com", "doubleuphome.com", "arctic.solar", "unstopabbledomains.com", "aggiornamento-isp.info", "clarkandhurnlaw.com", "barefootbirthstl.com", "seanfeuct.com", "measureformeasurehome.com", "stephsavy.com", "loveflowersandevents.com", "czsis.com", "midnightblueinc.com", "today.dental", "customwithme.com", "edisetiyo.com", "jasoneganrealtor.com", "rihxertiza.com", "seahorseblast.net", "nedayerasa.com", "cliftonheightshoa.net", "theprofilemba.com", "cfwoods.com", "dogggo.com", "casatranquillainletbeach.com", "u1023.com", "aromakapseln.com", "zhwanjie.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 6KdTCZit4e.exeVirustotal: Detection: 38%Perma Link
          Source: 6KdTCZit4e.exeReversingLabs: Detection: 19%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6KdTCZit4e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 6KdTCZit4e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.925610066.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop esi7_2_004172E0
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop ebx7_2_00407B06
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 4x nop then pop edi7_2_00416C87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi13_2_028A72E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx13_2_02897B06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi13_2_028A6C87

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hometowncashbuyersgroup.com/kkt/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1Host: www.thedreamcertificate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1Host: www.seahorseblast.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?ibQh=6llLiJzHhP5P5Lj&I48l2h=L0B8w9HUZaOZ7jw4+npXJ0F94zqPsX3Vt6n0qHR8lA3J0yAUFnvUFF5QUXy5W701wjCn HTTP/1.1Host: www.thedreamcertificate.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kkt/?I48l2h=JgCZg0ECNQCGdZh+l8D79i0V4/Xiha033Hwln1gAEXgZOLyx1jBrHFXC3spPC1oi0umv&ibQh=6llLiJzHhP5P5Lj HTTP/1.1Host: www.seahorseblast.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thedreamcertificate.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 08:35:02 GMTServer: ApacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 202Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 6b 74 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /kkt/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000008.00000000.767736283.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 6KdTCZit4e.exeString found in binary or memory: http://www.xboxleaders.com/api/friends.json?gamertag=
          Source: 6KdTCZit4e.exeString found in binary or memory: http://www.xboxleaders.com/api/profile.json?gamertag=
          Source: explorer.exe, 00000008.00000000.750185799.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419D60 NtCreateFile,7_2_00419D60
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E10 NtReadFile,7_2_00419E10
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E90 NtClose,7_2_00419E90
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,7_2_00419F40
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419D5A NtCreateFile,7_2_00419D5A
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00419E0A NtReadFile,7_2_00419E0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D696D0 NtCreateKey,LdrInitializeThunk,13_2_02D696D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D696E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_02D696E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69650 NtQueryValueKey,LdrInitializeThunk,13_2_02D69650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A50 NtCreateFile,LdrInitializeThunk,13_2_02D69A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_02D69660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69FE0 NtCreateMutant,LdrInitializeThunk,13_2_02D69FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69780 NtMapViewOfSection,LdrInitializeThunk,13_2_02D69780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69710 NtQueryInformationToken,LdrInitializeThunk,13_2_02D69710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69840 NtDelayExecution,LdrInitializeThunk,13_2_02D69840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69860 NtQuerySystemInformation,LdrInitializeThunk,13_2_02D69860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D695D0 NtClose,LdrInitializeThunk,13_2_02D695D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D699A0 NtCreateSection,LdrInitializeThunk,13_2_02D699A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69540 NtReadFile,LdrInitializeThunk,13_2_02D69540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_02D69910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A80 NtOpenDirectoryObject,13_2_02D69A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69670 NtQueryInformationProcess,13_2_02D69670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69610 NtEnumerateValueKey,13_2_02D69610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A10 NtQuerySection,13_2_02D69A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A00 NtProtectVirtualMemory,13_2_02D69A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69A20 NtResumeThread,13_2_02D69A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A3B0 NtGetContextThread,13_2_02D6A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D697A0 NtUnmapViewOfSection,13_2_02D697A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69770 NtSetInformationFile,13_2_02D69770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A770 NtOpenThread,13_2_02D6A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69760 NtOpenProcess,13_2_02D69760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6A710 NtOpenProcessToken,13_2_02D6A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69B00 NtSetValueKey,13_2_02D69B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69730 NtQueryVirtualMemory,13_2_02D69730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D698F0 NtReadVirtualMemory,13_2_02D698F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D698A0 NtWriteVirtualMemory,13_2_02D698A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6B040 NtSuspendThread,13_2_02D6B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69820 NtEnumerateKey,13_2_02D69820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D699D0 NtCreateProcessEx,13_2_02D699D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D695F0 NtQueryInformationFile,13_2_02D695F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69950 NtQueueApcThread,13_2_02D69950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69560 NtWriteFile,13_2_02D69560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D6AD30 NtSetContextThread,13_2_02D6AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D69520 NtWaitForSingleObject,13_2_02D69520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E90 NtClose,13_2_028A9E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E10 NtReadFile,13_2_028A9E10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9F40 NtAllocateVirtualMemory,13_2_028A9F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9D60 NtCreateFile,13_2_028A9D60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9E0A NtReadFile,13_2_028A9E0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A9D5A NtCreateFile,13_2_028A9D5A
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041E0007_2_0041E000
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041D1AB7_2_0041D1AB
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041E2587_2_0041E258
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004012087_2_00401208
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041DD7D7_2_0041DD7D
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402D877_2_00402D87
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409E407_2_00409E40
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409E3B7_2_00409E3B
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041DF3E7_2_0041DF3E
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D46E3013_2_02D46E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5EBB013_2_02D5EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3B09013_2_02D3B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3841F13_2_02D3841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DE100213_2_02DE1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3D5E013_2_02D3D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF1D5513_2_02DF1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D2F90013_2_02D2F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D20D2013_2_02D20D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D4412013_2_02D44120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AE25813_2_028AE258
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AE00013_2_028AE000
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AD1AB13_2_028AD1AB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02899E3B13_2_02899E3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02899E4013_2_02899E40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892FB013_2_02892FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892D8713_2_02892D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02892D9013_2_02892D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D2B150 appears 32 times
          Source: 6KdTCZit4e.exe, 00000000.00000000.656062623.000000000080A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.793159947.00000000008CA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.796525668.00000000014FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exeBinary or memory string: OriginalFilenameTimeSpanStyl.exe2 vs 6KdTCZit4e.exe
          Source: 6KdTCZit4e.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.6KdTCZit4e.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.6KdTCZit4e.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.924030938.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.792849864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.796818614.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.924732457.0000000002890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.796897067.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6KdTCZit4e.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
          Source: 6KdTCZit4e.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 6KdTCZit4e.exeVirustotal: Detection: 38%
          Source: 6KdTCZit4e.exeReversingLabs: Detection: 19%
          Source: unknownProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess created: C:\Users\user\Desktop\6KdTCZit4e.exe C:\Users\user\Desktop\6KdTCZit4e.exeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\6KdTCZit4e.exe'Jump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 6KdTCZit4e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 6KdTCZit4e.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: 6KdTCZit4e.exeStatic file information: File size 1148416 > 1048576
          Source: 6KdTCZit4e.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x116a00
          Source: 6KdTCZit4e.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 6KdTCZit4e.exe, 00000007.00000002.797353151.0000000001720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000D.00000002.925610066.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 6KdTCZit4e.exe, 00000007.00000002.795763283.000000000136F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.741672578.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041721D push es; ret 7_2_00417232
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004175DF push ds; iretd 7_2_004175F2
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_004175A0 push ds; iretd 7_2_004175F2
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041B68C pushad ; iretd 7_2_0041B68D
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CEB5 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF6C push eax; ret 7_2_0041CF72
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF02 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0041CF0B push eax; ret 7_2_0041CF72
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D7D0D1 push ecx; ret 13_2_02D7D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A721D push es; ret 13_2_028A7232
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028AB68C pushad ; iretd 13_2_028AB68D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACEB5 push eax; ret 13_2_028ACF08
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF0B push eax; ret 13_2_028ACF72
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF02 push eax; ret 13_2_028ACF08
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028ACF6C push eax; ret 13_2_028ACF72
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A75A0 push ds; iretd 13_2_028A75F2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_028A75DF push ds; iretd 13_2_028A75F2
          Source: initial sampleStatic PE information: section name: .text entropy: 7.05866733506

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE9
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 6KdTCZit4e.exeBinary or memory string: WIRESHARK|WIRESHARK.EXE
          Source: 6KdTCZit4e.exeBinary or memory string: SKYPE|SKYPE.EXE'FIREFOX|FIREFOX.EXE+BOOTCAMP|BOOTCAMP.EXE/WIRESHARK|WIRESHARK.EXEAPROCESS HACKER|PROCESSHACKER.EXELOAD
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000028998E4 second address: 00000000028998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000002899B5E second address: 0000000002899B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409A90 rdtsc 7_2_00409A90
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exe TID: 6572Thread sleep time: -54990s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exe TID: 6620Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6176Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6680Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 54990Jump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: 6KdTCZit4e.exeBinary or memory string: vmCIYd
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000008.00000000.748027302.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.778347337.0000000004710000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&f
          Source: explorer.exe, 00000008.00000000.742728647.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 6KdTCZit4e.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
          Source: explorer.exe, 00000008.00000000.748027302.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000008.00000000.778347337.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000008.00000000.748412391.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000008.00000000.748506664.000000000A77F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000008.00000000.741348182.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_00409A90 rdtsc 7_2_00409A90
          Source: C:\Users\user\Desktop\6KdTCZit4e.exeCode function: 7_2_0040ACD0 LdrLoadDll,7_2_0040ACD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF8ED6 mov eax, dword ptr fs:[00000030h]13_2_02DF8ED6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D68EC7 mov eax, dword ptr fs:[00000030h]13_2_02D68EC7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D536CC mov eax, dword ptr fs:[00000030h]13_2_02D536CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DDFEC0 mov eax, dword ptr fs:[00000030h]13_2_02DDFEC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D376E2 mov eax, dword ptr fs:[00000030h]13_2_02D376E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D516E0 mov ecx, dword ptr fs:[00000030h]13_2_02D516E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5D294 mov eax, dword ptr fs:[00000030h]13_2_02D5D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5D294 mov eax, dword ptr fs:[00000030h]13_2_02D5D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DBFE87 mov eax, dword ptr fs:[00000030h]13_2_02DBFE87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3AAB0 mov eax, dword ptr fs:[00000030h]13_2_02D3AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D3AAB0 mov eax, dword ptr fs:[00000030h]13_2_02D3AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D5FAB0 mov eax, dword ptr fs:[00000030h]13_2_02D5FAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]13_2_02D252A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]13_2_02D252A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]13_2_02D252A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]13_2_02D252A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D252A5 mov eax, dword ptr fs:[00000030h]13_2_02D252A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]13_2_02DF0EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]13_2_02DF0EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DF0EA5 mov eax, dword ptr fs:[00000030h]13_2_02DF0EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DA46A7 mov eax, dword ptr fs:[00000030h]13_2_02DA46A7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02DB4257 mov eax, dword ptr fs:[00000030h]13_2_02DB4257
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]13_2_02D29240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]13_2_02D29240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]13_2_02D29240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D29240 mov eax, dword ptr fs:[00000030h]13_2_02D29240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]13_2_02D37E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]13_2_02D37E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]13_2_02D37E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 13_2_02D37E41 mov eax, dword ptr fs:[00000030h]13_2_02D37E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXE