Loading ...

Play interactive tourEdit tour

Windows Analysis Report 9thuIDnsFV

Overview

General Information

Sample Name:9thuIDnsFV (renamed file extension from none to exe)
Analysis ID:452499
MD5:0e715db2198ff670f4bf0e88e0e9b547
SHA1:2de5030a9261655e5879e4faba7b5e79d1dd483e
SHA256:4dc8cb12314311a3bf1b1afa5cc5483284fda573f18c15ab0fef18b7b9ef9f98
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9thuIDnsFV.exe (PID: 6324 cmdline: 'C:\Users\user\Desktop\9thuIDnsFV.exe' MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
    • 9thuIDnsFV.exe (PID: 5860 cmdline: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe vgyjnbhui MD5: 0E715DB2198FF670F4BF0E88E0E9B547)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4868 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 3520 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xa238:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xa4b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x32258:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x324d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15fd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x3dff5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15ac1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x3dae1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x160d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x3e0f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1624f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x3e26f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xaeca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x32eea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x14d3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x3cd5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xbbc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x33be3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1bc77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x43c97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1cc7a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18d59:$sqlite3step: 68 34 1C 7B E1
    • 0x18e6c:$sqlite3step: 68 34 1C 7B E1
    • 0x40d79:$sqlite3step: 68 34 1C 7B E1
    • 0x40e8c:$sqlite3step: 68 34 1C 7B E1
    • 0x18d88:$sqlite3text: 68 38 2A 90 C5
    • 0x18ead:$sqlite3text: 68 38 2A 90 C5
    • 0x40da8:$sqlite3text: 68 38 2A 90 C5
    • 0x40ecd:$sqlite3text: 68 38 2A 90 C5
    • 0x18d9b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18ec3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x40dbb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x40ee3:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.9thuIDnsFV.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.9thuIDnsFV.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.9thuIDnsFV.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.9thuIDnsFV.exe.45b0350.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.9thuIDnsFV.exe.45b0350.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9bf58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9c1d2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xa7cf5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xa77e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xa7df7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xa7f6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x9cbea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xa6a5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9d8e3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xad997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xae99a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.containerflippers.com/np0c/"], "decoy": ["spartansurebets.com", "threelakestradingco.com", "metaspace.global", "zjenbao.com", "directlyincluded.press", "peterchadri.com", "learnhousebreaking.com", "wonobattle.online", "leadate.com", "shebafarmscali.com", "top4thejob.online", "awakeyourfaith.com", "bedford-st.com", "lolwhats.com", "cucurumbel.com", "lokalbazaar.com", "matter.pro", "eastcountyanimalrescue.com", "musesgirl.com", "noordinarydairy.com", "saigonstar2.com", "farmacias-aranda.com", "fjzzck.com", "createandelevate.solutions", "australiavapeoil.com", "imperfectlymassabella.com", "criminalmindeddesign.com", "silverstoneca.com", "scotlandpropertygroup.com", "3dvbuild.com", "privatebeautysuites.com", "driplockerstore.com", "rcdesigncompany.com", "2141cascaderdsw.com", "mybbblog.com", "bodyambrosia.com", "solitudeblog.com", "coworkingofficespaces.com", "9999cpa.com", "flipwo.com", "dynamicfitnesslife.store", "anandsharmah.com", "afyz-jf7y.net", "erikagrandstaff.com", "pumpfoil.com", "bodurm.com", "goldlifetime.com", "a1organ.com", "akomandr.com", "hsavvysupply.com", "dyvyn.com", "bizlikeabosslady.network", "livein.space", "helpafounderout.com", "orbmena.com", "mrrodgersrealty.com", "roxhomeswellington.com", "klimareporter.com", "1040fourthst405.com", "blackbuiltbusinesses.com", "solidswim.com", "lordetkinlik3.com", "gardencontainerbar.com", "viperporn.net"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeReversingLabs: Detection: 23%
          Multi AV Scanner detection for submitted fileShow sources
          Source: 9thuIDnsFV.exeVirustotal: Detection: 38%Perma Link
          Source: 9thuIDnsFV.exeReversingLabs: Detection: 23%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY
          Source: 10.2.9thuIDnsFV.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019CFDA0 BasepCopyEncryption,10_2_019CFDA0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019B7D72 BasepCopyEncryption,10_2_019B7D72
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019D8E00 BasepCopyEncryption,10_2_019D8E00
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019D2E3E BasepCopyEncryption,10_2_019D2E3E
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019B2250 BasepCopyEncryption,10_2_019B2250
          Source: 9thuIDnsFV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 9thuIDnsFV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 9thuIDnsFV.exe, 0000000A.00000002.498187012.0000000001980000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: 9thuIDnsFV.exe, 0000000A.00000002.498749026.0000000001DB0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.455604694.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 4x nop then pop esi10_2_004172CB
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 4x nop then pop ebx10_2_00407AFA
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 4x nop then pop edi10_2_00417D5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx20_2_02F17AFB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi20_2_02F272CB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi20_2_02F27D5B

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49756 -> 5.79.68.101:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.containerflippers.com/np0c/
          Source: global trafficHTTP traffic detected: GET /np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw== HTTP/1.1Host: www.driplockerstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
          Source: global trafficHTTP traffic detected: GET /np0c/?iN=5jalxB&a0DTBtU=a9fK2iRL7rM/iNgaQ8e4NUwl6BbikcR8OekOj0TYIdin2efeiFW0Z5kC5Xa/O1Kzq37GlajMhw== HTTP/1.1Host: www.driplockerstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.driplockerstore.com
          Source: 9thuIDnsFV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
          Source: 9thuIDnsFV.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: 9thuIDnsFV.exe, 00000001.00000003.330013890.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: 9thuIDnsFV.exe, 00000001.00000003.329336409.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 9thuIDnsFV.exeString found in binary or memory: http://ocsp.digicert.com0C
          Source: 9thuIDnsFV.exeString found in binary or memory: http://ocsp.digicert.com0H
          Source: 9thuIDnsFV.exeString found in binary or memory: http://ocsp.digicert.com0I
          Source: 9thuIDnsFV.exeString found in binary or memory: http://ocsp.digicert.com0O
          Source: wlanext.exe, 00000014.00000002.599683459.0000000003D9F000.00000004.00000001.sdmpString found in binary or memory: http://survey-smiles.com
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.336179079.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: explorer.exe, 0000000E.00000000.465503164.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
          Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: 9thuIDnsFV.exe, 00000001.00000003.333788508.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comaF
          Source: 9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comal
          Source: 9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comams
          Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
          Source: 9thuIDnsFV.exe, 00000001.00000003.334310160.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comces
          Source: 9thuIDnsFV.exe, 00000001.00000003.334802978.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcr
          Source: 9thuIDnsFV.exe, 00000001.00000003.334264597.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
          Source: 9thuIDnsFV.exe, 00000001.00000003.334171892.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
          Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comexc
          Source: 9thuIDnsFV.exe, 00000001.00000003.334215573.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comlt
          Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: 9thuIDnsFV.exe, 00000001.00000003.334443520.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comopsz
          Source: 9thuIDnsFV.exe, 00000001.00000003.334955370.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
          Source: 9thuIDnsFV.exeString found in binary or memory: http://www.digicert.com/CPS0
          Source: 9thuIDnsFV.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 9thuIDnsFV.exe, 00000001.00000003.341157570.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#
          Source: 9thuIDnsFV.exe, 00000001.00000003.339414645.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers$
          Source: 9thuIDnsFV.exe, 00000001.00000003.338972632.000000000616B000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338849647.0000000006171000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 9thuIDnsFV.exe, 00000001.00000003.340799548.000000000618E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 9thuIDnsFV.exe, 00000001.00000003.339998468.000000000618E000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.339943360.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 9thuIDnsFV.exe, 00000001.00000003.339513065.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersa
          Source: 9thuIDnsFV.exe, 00000001.00000003.339673222.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers5
          Source: 9thuIDnsFV.exe, 00000001.00000003.338914369.0000000006171000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn6
          Source: 9thuIDnsFV.exe, 00000001.00000003.332290487.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnMic
          Source: 9thuIDnsFV.exe, 00000001.00000003.332056051.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
          Source: 9thuIDnsFV.exe, 00000001.00000003.333344719.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnld
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 9thuIDnsFV.exe, 00000001.00000003.342672431.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmm
          Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.k)
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-c(
          Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krtp
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 9thuIDnsFV.exeString found in binary or memory: http://www.opera.com0
          Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comG
          Source: 9thuIDnsFV.exe, 00000001.00000003.328448785.0000000006152000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comM
          Source: 9thuIDnsFV.exe, 00000001.00000003.336235888.0000000006173000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 9thuIDnsFV.exe, 00000001.00000003.331470049.000000000616B000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krFc
          Source: 9thuIDnsFV.exe, 00000001.00000003.331326853.000000000616B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krs-czom
          Source: explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 9thuIDnsFV.exe, 00000001.00000003.333190214.0000000006173000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com-jpL
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmp, 9thuIDnsFV.exe, 00000001.00000003.341292306.0000000006177000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: 9thuIDnsFV.exe, 00000001.00000003.338500432.0000000006171000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de0
          Source: 9thuIDnsFV.exe, 00000001.00000003.341330812.0000000006178000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de?
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 9thuIDnsFV.exe, 00000001.00000002.429598690.0000000007462000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.453984529.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 9thuIDnsFV.exe, 00000001.00000003.333715053.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cncr
          Source: 9thuIDnsFV.exe, 00000001.00000003.333587115.000000000616D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnr-fC
          Source: 9thuIDnsFV.exeString found in binary or memory: https://www.digicert.com/CPS0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419D60 NtCreateFile,10_2_00419D60
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419E10 NtReadFile,10_2_00419E10
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419E90 NtClose,10_2_00419E90
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419F40 NtAllocateVirtualMemory,10_2_00419F40
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419D5A NtCreateFile,10_2_00419D5A
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419DB2 NtCreateFile,10_2_00419DB2
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00419E8A NtClose,10_2_00419E8A
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E99A0 NtCreateSection,LdrInitializeThunk,10_2_019E99A0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E95D0 NtClose,LdrInitializeThunk,10_2_019E95D0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_019E9910
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9540 NtReadFile,LdrInitializeThunk,10_2_019E9540
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E98F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_019E98F0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9840 NtDelayExecution,LdrInitializeThunk,10_2_019E9840
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_019E9860
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9780 NtMapViewOfSection,LdrInitializeThunk,10_2_019E9780
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E97A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_019E97A0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9710 NtQueryInformationToken,LdrInitializeThunk,10_2_019E9710
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_019E96E0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9A00 NtProtectVirtualMemory,LdrInitializeThunk,10_2_019E9A00
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9A20 NtResumeThread,LdrInitializeThunk,10_2_019E9A20
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9A50 NtCreateFile,LdrInitializeThunk,10_2_019E9A50
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_019E9660
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E99D0 NtCreateProcessEx,10_2_019E99D0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E95F0 NtQueryInformationFile,10_2_019E95F0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019EAD30 NtSetContextThread,10_2_019EAD30
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9520 NtWaitForSingleObject,10_2_019E9520
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9950 NtQueueApcThread,10_2_019E9950
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9560 NtWriteFile,10_2_019E9560
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E98A0 NtWriteVirtualMemory,10_2_019E98A0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9820 NtEnumerateKey,10_2_019E9820
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019EB040 NtSuspendThread,10_2_019EB040
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019EA3B0 NtGetContextThread,10_2_019EA3B0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9FE0 NtCreateMutant,10_2_019E9FE0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019EA710 NtOpenProcessToken,10_2_019EA710
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9B00 NtSetValueKey,10_2_019E9B00
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9730 NtQueryVirtualMemory,10_2_019E9730
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9770 NtSetInformationFile,10_2_019E9770
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019EA770 NtOpenThread,10_2_019EA770
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9760 NtOpenProcess,10_2_019E9760
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9A80 NtOpenDirectoryObject,10_2_019E9A80
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E96D0 NtCreateKey,10_2_019E96D0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9610 NtEnumerateValueKey,10_2_019E9610
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9A10 NtQuerySection,10_2_019E9A10
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9650 NtQueryValueKey,10_2_019E9650
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019E9670 NtQueryInformationProcess,10_2_019E9670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29E90 NtClose,20_2_02F29E90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29E10 NtReadFile,20_2_02F29E10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29F40 NtAllocateVirtualMemory,20_2_02F29F40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29D60 NtCreateFile,20_2_02F29D60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29E8A NtClose,20_2_02F29E8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29DB2 NtCreateFile,20_2_02F29DB2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F29D5A NtCreateFile,20_2_02F29D5A
          Source: C:\Users\user\Desktop\9thuIDnsFV.exeCode function: 1_2_0322C2241_2_0322C224
          Source: C:\Users\user\Desktop\9thuIDnsFV.exeCode function: 1_2_0322E5E21_2_0322E5E2
          Source: C:\Users\user\Desktop\9thuIDnsFV.exeCode function: 1_2_0322E5F01_2_0322E5F0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_0041E00410_2_0041E004
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_0040102710_2_00401027
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_0040103010_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_0041D0C110_2_0041D0C1
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_0041D3B910_2_0041D3B9
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00402D8710_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00402D9010_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00409E4010_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_00402FB010_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019D258110_2_019D2581
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019BD5E010_2_019BD5E0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019AF90010_2_019AF900
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019A0D2010_2_019A0D20
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019C412010_2_019C4120
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_01A71D5510_2_01A71D55
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019BB09010_2_019BB090
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019D20A010_2_019D20A0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019B841F10_2_019B841F
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_01A6100210_2_01A61002
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019DEBB010_2_019DEBB0
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: 10_2_019C6E3010_2_019C6E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F2E00420_2_02F2E004
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F19E4020_2_02F19E40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F12FB020_2_02F12FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F12D9020_2_02F12D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 20_2_02F12D8720_2_02F12D87
          Source: C:\Users\user\AppData\Local\Temp\9thuIDnsFV.exeCode function: String function: 019AB150 appears 35 times
          Source: 9thuIDnsFV.exeStatic PE information: invalid certificate
          Source: 9thuIDnsFV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9thuIDnsFV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9thuIDnsFV.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9thuIDnsFV.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 9thuIDnsFV.exeBinary or memory string: OriginalFilename vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAucrorbejpjpqs.dll> vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameElcbrjrgopuwq.dll" vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 00000001.00000002.421855584.0000000000E82000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 00000001.00000002.428503196.0000000006320000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exeBinary or memory string: OriginalFilename vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 0000000A.00000000.421133231.0000000000F42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 0000000A.00000002.498789895.0000000001DC2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exe, 0000000A.00000002.498552872.0000000001C2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exeBinary or memory string: OriginalFilenameAAXZConsoleApp9.exeB vs 9thuIDnsFV.exe
          Source: 9thuIDnsFV.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.9thuIDnsFV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.9thuIDnsFV.exe.45b0350.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.9thuIDnsFV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.9thuIDnsFV.exe.45140c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.425318748.0000000004349000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.498621815.0000000001CB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.425393172.00000000043C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.496854769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.594295138.0000000000430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.595689407.0000000002F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.498662649.0000000001CE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9thuIDnsFV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 9thuIDnsFV.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@1/1
          Source: C:\Users\user\Desktop\9thuIDnsFV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9thuIDnsFV.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3860:120:WilError_01