Windows Analysis Report 9thuIDnsFV

Overview

General Information

Sample Name:	9thuIDnsFV (renamed file extension from none to exe)
Analysis ID:	452499
MD5:	0e715db2198ff670f4bf0e88e0e9b547
SHA1:	2de5030a9261655e5879e4faba7b5e79d1dd483e
SHA256:	4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: 9thuIDnsFV.exe	Virustotal: Detection: 38%			Perma Link
Source: 9thuIDnsFV.exe	ReversingLabs: Detection: 23%

Yara detected FormBook

Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.9thuIDnsFV.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019CFDA0 BasepCopyEncryption,	10_2_019CFDA0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B7D72 BasepCopyEncryption,	10_2_019B7D72
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D8E00 BasepCopyEncryption,	10_2_019D8E00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2E3E BasepCopyEncryption,	10_2_019D2E3E
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B2250 BasepCopyEncryption,	10_2_019B2250

Compliance:

Uses 32bit PE files

Source: 9thuIDnsFV.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 9thuIDnsFV.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 4x nop then pop esi	10_2_004172CB
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 4x nop then pop ebx	10_2_00407AFA
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 4x nop then pop edi	10_2_00417D5B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx	20_2_02F17AFB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop esi	20_2_02F272CB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	20_2_02F27D5B

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.containerflippers.com/np0c/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw== HTTP/1.1Host: www.driplockerstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.driplockerstore.com

Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: 9thuIDnsFV.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 9thuIDnsFV.exe, 00000001.00000003.330013890.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: 9thuIDnsFV.exe, 00000001.00000003.329336409.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: 9thuIDnsFV.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: wlanext.exe, 00000014.00000002.599683459.0000000003D9F000.00000004.00000001.sdmp	String found in binary or memory: http://survey-smiles.com
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.336179079.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 0000000E.00000000.465503164.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: 9thuIDnsFV.exe, 00000001.00000003.333788508.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comaF
Source: 9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comal
Source: 9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comams
Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comc
Source: 9thuIDnsFV.exe, 00000001.00000003.334310160.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comces
Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comcr
Source: 9thuIDnsFV.exe, 00000001.00000003.334264597.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.come
Source: 9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comes
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comexc
Source: 9thuIDnsFV.exe, 00000001.00000003.334215573.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comlt
Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.como.
Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comopsz
Source: 9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comroa
Source: 9thuIDnsFV.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 9thuIDnsFV.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9thuIDnsFV.exe, 00000001.00000003.341157570.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers#
Source: 9thuIDnsFV.exe, 00000001.00000003.339414645.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers$
Source: 9thuIDnsFV.exe, 00000001.00000003.338972632.000000000616B000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338849647.0000000006171000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9thuIDnsFV.exe, 00000001.00000003.340799548.000000000618E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9thuIDnsFV.exe, 00000001.00000003.339998468.000000000618E000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.339943360.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 9thuIDnsFV.exe, 00000001.00000003.339513065.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers5
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersa
Source: 9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers5
Source: 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn6
Source: 9thuIDnsFV.exe, 00000001.00000003.332290487.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnMic
Source: 9thuIDnsFV.exe, 00000001.00000003.332056051.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnht
Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnld
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9thuIDnsFV.exe, 00000001.00000003.342672431.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmm
Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.k)
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr-c(
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krtp
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9thuIDnsFV.exe	String found in binary or memory: http://www.opera.com0
Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comG
Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comM
Source: 9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krFc
Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krs-czom
Source: explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9thuIDnsFV.exe, 00000001.00000003.333190214.0000000006173000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com-jpL
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.341292306.0000000006177000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: 9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de0
Source: 9thuIDnsFV.exe, 00000001.00000003.341330812.0000000006178000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de?
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cncr
Source: 9thuIDnsFV.exe, 00000001.00000003.333587115.000000000616D000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnr-fC
Source: 9thuIDnsFV.exe	String found in binary or memory: https://www.digicert.com/CPS0

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419D60 NtCreateFile,	10_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419E10 NtReadFile,	10_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419E90 NtClose,	10_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419F40 NtAllocateVirtualMemory,	10_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419D5A NtCreateFile,	10_2_00419D5A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419DB2 NtCreateFile,	10_2_00419DB2
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00419E8A NtClose,	10_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E99A0 NtCreateSection,LdrInitializeThunk,	10_2_019E99A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E95D0 NtClose,LdrInitializeThunk,	10_2_019E95D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_019E9910
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9540 NtReadFile,LdrInitializeThunk,	10_2_019E9540
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E98F0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_019E98F0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9840 NtDelayExecution,LdrInitializeThunk,	10_2_019E9840
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_019E9860
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_019E9780
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_019E97A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_019E9710
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_019E96E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_019E9A00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A20 NtResumeThread,LdrInitializeThunk,	10_2_019E9A20
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A50 NtCreateFile,LdrInitializeThunk,	10_2_019E9A50
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_019E9660
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E99D0 NtCreateProcessEx,	10_2_019E99D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E95F0 NtQueryInformationFile,	10_2_019E95F0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EAD30 NtSetContextThread,	10_2_019EAD30
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9520 NtWaitForSingleObject,	10_2_019E9520
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9950 NtQueueApcThread,	10_2_019E9950
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9560 NtWriteFile,	10_2_019E9560
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E98A0 NtWriteVirtualMemory,	10_2_019E98A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9820 NtEnumerateKey,	10_2_019E9820
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EB040 NtSuspendThread,	10_2_019EB040
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EA3B0 NtGetContextThread,	10_2_019EA3B0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9FE0 NtCreateMutant,	10_2_019E9FE0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EA710 NtOpenProcessToken,	10_2_019EA710
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9B00 NtSetValueKey,	10_2_019E9B00
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9730 NtQueryVirtualMemory,	10_2_019E9730
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9770 NtSetInformationFile,	10_2_019E9770
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019EA770 NtOpenThread,	10_2_019EA770
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9760 NtOpenProcess,	10_2_019E9760
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A80 NtOpenDirectoryObject,	10_2_019E9A80
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E96D0 NtCreateKey,	10_2_019E96D0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9610 NtEnumerateValueKey,	10_2_019E9610
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9A10 NtQuerySection,	10_2_019E9A10
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9650 NtQueryValueKey,	10_2_019E9650
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019E9670 NtQueryInformationProcess,	10_2_019E9670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29E90 NtClose,	20_2_02F29E90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29E10 NtReadFile,	20_2_02F29E10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29F40 NtAllocateVirtualMemory,	20_2_02F29F40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29D60 NtCreateFile,	20_2_02F29D60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29E8A NtClose,	20_2_02F29E8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29DB2 NtCreateFile,	20_2_02F29DB2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F29D5A NtCreateFile,	20_2_02F29D5A

Detected potential crypto function

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Code function: 1_2_0322C224	1_2_0322C224
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Code function: 1_2_0322E5E2	1_2_0322E5E2
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Code function: 1_2_0322E5F0	1_2_0322E5F0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041E004	10_2_0041E004
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00401027	10_2_00401027
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00401030	10_2_00401030
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041D0C1	10_2_0041D0C1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041D3B9	10_2_0041D3B9
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00402D87	10_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00402D90	10_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00409E40	10_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00402FB0	10_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D2581	10_2_019D2581
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BD5E0	10_2_019BD5E0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019AF900	10_2_019AF900
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019A0D20	10_2_019A0D20
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C4120	10_2_019C4120
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A71D55	10_2_01A71D55
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019BB090	10_2_019BB090
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019D20A0	10_2_019D20A0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019B841F	10_2_019B841F
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_01A61002	10_2_01A61002
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019DEBB0	10_2_019DEBB0
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019C6E30	10_2_019C6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2E004	20_2_02F2E004
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F19E40	20_2_02F19E40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F12FB0	20_2_02F12FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F12D90	20_2_02F12D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F12D87	20_2_02F12D87

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe

Code function: String function: 019AB150 appears 35 times

PE / OLE file has an invalid certificate

Source: 9thuIDnsFV.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: 9thuIDnsFV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9thuIDnsFV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9thuIDnsFV.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9thuIDnsFV.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 9thuIDnsFV.exe	Binary or memory string: OriginalFilename vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAucrorbejpjpqs.dll> vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameElcbrjrgopuwq.dll" vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.421855584.0000000000E82000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 00000001.00000002.428503196.0000000006320000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe	Binary or memory string: OriginalFilename vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 0000000A.00000000.421133231.0000000000F42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 0000000A.00000002.498789895.0000000001DC2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe, 0000000A.00000002.498552872.0000000001C2F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 9thuIDnsFV.exe
Source: 9thuIDnsFV.exe	Binary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe

Uses 32bit PE files

Source: 9thuIDnsFV.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Yara signature match

Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: 9thuIDnsFV.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 9thuIDnsFV.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@1/1

Source: C:\Users\user\Desktop\9thuIDnsFV.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9thuIDnsFV.exe.log

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\9thuIDnsFV.exe 'C:\Users\user\Desktop\9thuIDnsFV.exe'
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process created: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe'	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_004168E0 push eax; iretd	10_2_004168E1
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00416907 push ds; retf	10_2_00416908
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_004093D6 push es; retf	10_2_004093DD
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_00416CB4 pushfd ; retf	10_2_00416CBC
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_004176ED push ebx; iretd	10_2_004176EF
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CEB5 push eax; ret	10_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CF6C push eax; ret	10_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CF02 push eax; ret	10_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_0041CF0B push eax; ret	10_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Code function: 10_2_019FD0D1 push ecx; ret	10_2_019FD0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F193D6 push es; retf	20_2_02F193DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F268E0 push eax; iretd	20_2_02F268E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F26907 push ds; retf	20_2_02F26908
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F276ED push ebx; iretd	20_2_02F276EF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CEB5 push eax; ret	20_2_02F2CF08
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CF6C push eax; ret	20_2_02F2CF72
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CF02 push eax; ret	20_2_02F2CF08
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F2CF0B push eax; ret	20_2_02F2CF72
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 20_2_02F26CB4 pushfd ; retf	20_2_02F26CBC

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002F198E4 second address: 0000000002F198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000002F19B5E second address: 0000000002F19B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: explorer.exe, 0000000E.00000000.452463166.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.452393982.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: 9thuIDnsFV.exe	Binary or memory string: 3V97MjDwzNY10/CE3FdlPTc3QDRJmTHAfugGZ6zy6kRSVp+JZqpfk8Ffo9rd0+zrd2KPwKN3IwbD9bQLswwzDhyn4PdAUcVsBK5n\77208IwpEVv/3DMWkIIYr+GO0CgNtkcu/AzuJ1M8gweiCBUod5UYqcxkP0QAKl0hwizDJ5b4pZws5eikxSjRN4UuQgGFVmciINBjSJ\7NLLQdzKojxbpxogKKZWM8B1Zm8STIrPk9ANQxogWqeZZSr2a6ZmW+yC
Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000E.00000000.447425630.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.452393982.00000000083E9000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000E.00000000.447425630.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9thuIDnsFV.exe	Binary or memory string: drNC7TIZTDW2xdJg6023IiTjmTuQlBYEtkPt+T/Us4SLdWi2qlCcddJ8V\7R0tAT+wpPaK51PoqE0nSbQ8X0gIV1QeMUdu7fBCInEO6ADyk+Y6Pj50bA89PiZBRwnUO9K3Ns0/btgvn5n7ypGhhTP0mZCoNxZCnK\7nl3WEoY5NqGqiGi1R8cYbO9DuvgNpNPQlR0tOwm091GcDraPdworFfl+/7zsOq5SWDlDvKmIEUiEy8m9CKUXDLxi9/PJynX1DX
Source: explorer.exe, 0000000E.00000000.452004662.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: 9thuIDnsFV.exe, 00000001.00000002.424675274.00000000033B6000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000E.00000000.479950310.00000000045BE000.00000004.00000001.sdmp	Binary or memory string: 8f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 0000000E.00000000.452004662.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000000E.00000000.452463166.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: 9thuIDnsFV.exe	Binary or memory string: w9pCcvmCiBslevp3ENTZ7Gyl/KlvjcVV5O5tkWLNvHWw9ziuxOZ14kJmcS95b5CG53h40gwz2mI1prpmN63K34RqlKTfBw\782M5soaHLKwjrxjbF44wWMH/mXEYo9EtG3RCo8RZu8v2iOPMGsDtVxMtQ/RInns4u4kM+YSRbJmUomHt2yet9GjBmvzKjwGocN5e2\7S6Ai96HFLuDqu3p28Ouz3oupVo6bq9Tq4z84+QXrbm011Rn3/M4xD+nOhVufu
Source: explorer.exe, 0000000E.00000000.465503164.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 0000000E.00000000.445336091.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 5.79.68.101 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.driplockerstore.com

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3440			Jump to behavior

Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\9thuIDnsFV.exe	Memory written: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe base: 1189008	Jump to behavior

Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000000E.00000000.467119162.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000014.00000002.599758383.0000000004210000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Name	Malicious	Antivirus Detection	Reputation
www.containerflippers.com/np0c/	true	Avira URL Cloud: safe	low
http://www.driplockerstore.com/np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw==	true	Avira URL Cloud: safe	unknown

ID:	452499
Product:	CloudBasic
Start time:	14:03:16
Start date:	22.07.2021
Sample:	9thuIDnsFV
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	0e715db2198ff670f4bf0e88e0e9b547
SHA1:	2de5030a9261655e5879e4faba7b5e79d1dd483e
SHA256:	4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9thuIDnsFV.exe.log	ASCII text, with CRLF line terminators	3197B1D4714B56F2A6AC9E83761739AE	3B38010F0DF51C1D4D2C020138202DABB686741D	40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	0E715DB2198FF670F4BF0E88E0E9B547	2DE5030A9261655E5879E4FABA7B5E79D1DD483E	4DC8CB12314311A3BF1B1AFA5CC5483284FDA573F18C15AB0FEF18B7B9EF9F98
C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report 9thuIDnsFV

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs