Loading ...

Play interactive tourEdit tour

Windows Analysis Report 85vLO1Rpcy.exe

Overview

General Information

Sample Name:85vLO1Rpcy.exe
Analysis ID:452681
MD5:91663bee11ec2466c36ff85805041fff
SHA1:944de18e73bbcf9807c960ba925641211d46cd6e
SHA256:b764504a2998416edbba85e1495c8311f8cc94f5775ce3413b8d3cbd5acf03d7
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 85vLO1Rpcy.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: 91663BEE11EC2466C36FF85805041FFF)
    • 85vLO1Rpcy.exe (PID: 6872 cmdline: 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: 91663BEE11EC2466C36FF85805041FFF)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 6116 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 6408 cmdline: /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.85vLO1Rpcy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.85vLO1Rpcy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.85vLO1Rpcy.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        2.1.85vLO1Rpcy.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.85vLO1Rpcy.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.invisiongc.net/dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtwAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 85vLO1Rpcy.exeReversingLabs: Detection: 47%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: 85vLO1Rpcy.exeJoe Sandbox ML: detected
          Source: 1.2.85vLO1Rpcy.exe.2040000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.cscript.exe.4c87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.cscript.exe.2848758.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 85vLO1Rpcy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
          Source: Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 4x nop then pop esi2_2_00415852
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 4x nop then pop ebx2_2_00406A98
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 4x nop then pop edi2_2_00415699
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop ebx9_2_02776A99
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi9_2_02785852
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi9_2_02785699

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49769 -> 172.67.129.33:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.241.62.54 162.241.62.54
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=IhkJQD+B0bk6+V2yAPUkLiiPXbQYCeTmh4O7f9n2kBTH706egIRBsrjYfWBeBd2LV0Ma&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.fitnesstwentytwenty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=qBaU/+yfeYHlIZouGPofXU4iidVfFInHYvrLlGgOmZTTl18u/I/MgAYEWpAR2vhEkSQT&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.melodezu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=QPKcqu0vMetGK+JfgUD/8nBfSHpRH5kA0PGey6xyb3gkjUZIEhl5tlPdZ8p3XQTNaLSI&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.sprinkleresources.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=B6XRNEXBM36CngModurpGrvJhOmsW28/SGtim1Ppn9j53l0DJdxuAnVFBlFsUFB06+ev&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.professioneconsulenza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=7CAQNvso9+3ggABZu/Jc7fNLxaXC+FNFfFld5zwEvttFhfWBu0C0F7PZZ+Whh9hkxniW&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.iwccgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=zCCrdzdvThYaTASpe/hPmHk7ap5P+ANftyOGnlC77DjfTWm2yZ7w2vU9UFaZ0iHT58J1&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.manageoceanaccount.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImX53aDppb+SR&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElPwYvBfmvX&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.builtbydawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?4hoDb=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZrZIWjv5Kd9wj&m4L0u=bZcPvDKxdtw HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fitnesstwentytwenty.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 15:58:59 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 6c 6f 64 65 7a 75 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.melodezu.com Port 80</address></body></html>
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.666867795.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.686825310.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cscript.exe, 00000009.00000002.918279591.0000000004E02000.00000004.00000001.sdmpString found in binary or memory: https://www.builtbydawn.com/dy8g/?4hoDb=w4dga09rndu/01Lv7rTrHKYivge6TkGpvuCog6Ry2v7pCfEqSSJxxgGpUElP

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004181D0 NtCreateFile,2_2_004181D0
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00418280 NtReadFile,2_2_00418280
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00418300 NtClose,2_2_00418300
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,2_2_004183B0
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00418222 NtCreateFile,2_2_00418222
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,2_2_004183AA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_047B9860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9840 NtDelayExecution,LdrInitializeThunk,9_2_047B9840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9540 NtReadFile,LdrInitializeThunk,9_2_047B9540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_047B9910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B95D0 NtClose,LdrInitializeThunk,9_2_047B95D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B99A0 NtCreateSection,LdrInitializeThunk,9_2_047B99A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_047B9660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A50 NtCreateFile,LdrInitializeThunk,9_2_047B9A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9650 NtQueryValueKey,LdrInitializeThunk,9_2_047B9650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_047B96E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B96D0 NtCreateKey,LdrInitializeThunk,9_2_047B96D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9710 NtQueryInformationToken,LdrInitializeThunk,9_2_047B9710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9FE0 NtCreateMutant,LdrInitializeThunk,9_2_047B9FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9780 NtMapViewOfSection,LdrInitializeThunk,9_2_047B9780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BB040 NtSuspendThread,9_2_047BB040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9820 NtEnumerateKey,9_2_047B9820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B98F0 NtReadVirtualMemory,9_2_047B98F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B98A0 NtWriteVirtualMemory,9_2_047B98A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9560 NtWriteFile,9_2_047B9560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9950 NtQueueApcThread,9_2_047B9950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BAD30 NtSetContextThread,9_2_047BAD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9520 NtWaitForSingleObject,9_2_047B9520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B95F0 NtQueryInformationFile,9_2_047B95F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B99D0 NtCreateProcessEx,9_2_047B99D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9670 NtQueryInformationProcess,9_2_047B9670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A20 NtResumeThread,9_2_047B9A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9610 NtEnumerateValueKey,9_2_047B9610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A10 NtQuerySection,9_2_047B9A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A00 NtProtectVirtualMemory,9_2_047B9A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9A80 NtOpenDirectoryObject,9_2_047B9A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BA770 NtOpenThread,9_2_047BA770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9770 NtSetInformationFile,9_2_047B9770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9760 NtOpenProcess,9_2_047B9760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9730 NtQueryVirtualMemory,9_2_047B9730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BA710 NtOpenProcessToken,9_2_047BA710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B9B00 NtSetValueKey,9_2_047B9B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047BA3B0 NtGetContextThread,9_2_047BA3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047B97A0 NtUnmapViewOfSection,9_2_047B97A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02788280 NtReadFile,9_2_02788280
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02788300 NtClose,9_2_02788300
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027883B0 NtAllocateVirtualMemory,9_2_027883B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027881D0 NtCreateFile,9_2_027881D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02788222 NtCreateFile,9_2_02788222
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027883AA NtAllocateVirtualMemory,9_2_027883AA
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0040102E2_2_0040102E
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B8FB2_2_0041B8FB
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00408C6C2_2_00408C6C
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00408C702_2_00408C70
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B57A2_2_0041B57A
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041C58A2_2_0041C58A
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478841F9_2_0478841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_048310029_2_04831002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478B0909_2_0478B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04770D209_2_04770D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047941209_2_04794120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0477F9009_2_0477F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0478D5E09_2_0478D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04841D559_2_04841D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_04796E309_2_04796E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047AEBB09_2_047AEBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B8FB9_2_0278B8FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02772FB09_2_02772FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02778C709_2_02778C70
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02778C6C9_2_02778C6C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B57A9_2_0278B57A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02772D909_2_02772D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278C58A9_2_0278C58A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02772D889_2_02772D88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0477B150 appears 32 times
          Source: 85vLO1Rpcy.exe, 00000001.00000003.655654489.000000000239F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
          Source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs 85vLO1Rpcy.exe
          Source: 85vLO1Rpcy.exe, 00000002.00000002.718870614.0000000000C0F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 85vLO1Rpcy.exe
          Source: 85vLO1Rpcy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.85vLO1Rpcy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.85vLO1Rpcy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.85vLO1Rpcy.exe.2080000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.917381925.0000000002930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.917639520.0000000004510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.716808060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.660809606.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.717508813.00000000008A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.917267310.0000000002770000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.717586838.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.662578275.0000000002080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@12/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6404:120:WilError_01
          Source: 85vLO1Rpcy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 85vLO1Rpcy.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeFile read: C:\Users\user\Desktop\85vLO1Rpcy.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeProcess created: C:\Users\user\Desktop\85vLO1Rpcy.exe 'C:\Users\user\Desktop\85vLO1Rpcy.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\85vLO1Rpcy.exe'Jump to behavior
          Source: Binary string: cscript.pdbUGP source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 85vLO1Rpcy.exe, 00000001.00000003.654242589.00000000020F0000.00000004.00000001.sdmp, 85vLO1Rpcy.exe, 00000002.00000002.718159413.0000000000960000.00000040.00000001.sdmp, cscript.exe, 00000009.00000002.917910463.000000000486F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 85vLO1Rpcy.exe, cscript.exe
          Source: Binary string: cscript.pdb source: 85vLO1Rpcy.exe, 00000002.00000002.719059320.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.706368480.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeUnpacked PE file: 2.2.85vLO1Rpcy.exe.400000.0.unpack .text:ER;.rdata:R; vs .text:ER;
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004062F6 pushfd ; ret 2_2_004062F7
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B3C5 push eax; ret 2_2_0041B418
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_004153FC push eax; retf 2_2_0041540B
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B47C push eax; ret 2_2_0041B482
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B412 push eax; ret 2_2_0041B418
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041B41B push eax; ret 2_2_0041B482
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00415CE7 pushad ; ret 2_2_00415D4B
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_0041C4EE push 133511A3h; retf 2_2_0041C4F3
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00414D71 push ss; iretd 2_2_00414D72
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeCode function: 2_2_00415D38 pushad ; ret 2_2_00415D4B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_047CD0D1 push ecx; ret 9_2_047CD0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027762F6 pushfd ; ret 9_2_027762F7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_027853FC push eax; retf 9_2_0278540B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B3C5 push eax; ret 9_2_0278B418
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B47C push eax; ret 9_2_0278B482
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B41B push eax; ret 9_2_0278B482
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278B412 push eax; ret 9_2_0278B418
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0278C4EE push 133511A3h; retf 9_2_0278C4F3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02785CE7 pushad ; ret 9_2_02785D4B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02784D71 push ss; iretd 9_2_02784D72
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02785D38 pushad ; ret 9_2_02785D4B
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\85vLO1Rpcy.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000