Loading ...

Play interactive tourEdit tour

Windows Analysis Report pMbPS8nCm1.exe

Overview

General Information

Sample Name:pMbPS8nCm1.exe
Analysis ID:452687
MD5:de87f1794377537dda721afd9137e491
SHA1:3b0480a4afe176722d9b8cf6f9f9c9257b1d132f
SHA256:b0a684c7dfc5a94e3dd2edcb1c706eae088ff9d701ec55f0adb1ae977e5e9081
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pMbPS8nCm1.exe (PID: 3492 cmdline: 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: DE87F1794377537DDA721AFD9137E491)
    • pMbPS8nCm1.exe (PID: 5800 cmdline: 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: DE87F1794377537DDA721AFD9137E491)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 4564 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 4396 cmdline: /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.pMbPS8nCm1.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.pMbPS8nCm1.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.pMbPS8nCm1.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        2.1.pMbPS8nCm1.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.pMbPS8nCm1.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.aizaibali.com/Avira URL Cloud: Label: malware
          Source: http://www.wideawakemomma.com/dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxhAvira URL Cloud: Label: malware
          Source: http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGNAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: pMbPS8nCm1.exeVirustotal: Detection: 26%Perma Link
          Source: pMbPS8nCm1.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: pMbPS8nCm1.exeJoe Sandbox ML: detected
          Source: 13.2.raserver.exe.302d450.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.pMbPS8nCm1.exe.5a0000.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 13.2.raserver.exe.5167960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: pMbPS8nCm1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: pMbPS8nCm1.exe, 00000001.00000003.245067685.0000000002480000.00000004.00000001.sdmp, pMbPS8nCm1.exe, 00000002.00000002.306527493.0000000000A10000.00000040.00000001.sdmp, raserver.exe, 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pMbPS8nCm1.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop esi2_2_00415852
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop ebx2_2_00406A98
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 4x nop then pop edi2_2_00415699
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi13_2_009B5852
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop ebx13_2_009A6A99
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi13_2_009B5699

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49739 -> 172.104.157.41:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49743 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49745 -> 209.99.40.222:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1Host: www.cochez.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1Host: www.vermogenswerte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 95.215.210.10 95.215.210.10
          Source: Joe Sandbox ViewASN Name: NEWIT-ASRU NEWIT-ASRU
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=M2y08b4guDc7ky1UfP9B2E9DVQMkOM+mjhyUMO8ZT8ajlM0broLEOhQJKgG+gbTLwEQu&5jLtOl=htxh HTTP/1.1Host: www.cochez.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=d70oYrFBgMb8Os9vLLnU0lHHdKTBSZLAimar8DFO2VzVjiqJdJvZleKp8o5Ll6MGkmh7&5jLtOl=htxh HTTP/1.1Host: www.cindywillardrealtor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=n9TsU/XZirCaXaeSUYbcU/ldcwtyxBDUqcAV1OuBRveQ+2sj4hTKAs/tsBNJEPRO40QM&5jLtOl=htxh HTTP/1.1Host: www.wideawakemomma.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=vEc9l3KIwUbL2yE9akOYH6tpFpdH8sidHZA37HjQYo0aYTivi/dQORBe2IJ6crCUqb4r&5jLtOl=htxh HTTP/1.1Host: www.vermogenswerte.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=ECrCAtcV2n6MmfvkEdEbFHcY5Y6SYRzoX56/iPQe4p5qRx/lRHZ+fK1TxUEBZfQE2R2Q&5jLtOl=htxh HTTP/1.1Host: www.thenorthgoldline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i8PHMrf=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGD3PCL74z9p&5jLtOl=htxh HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cochez.club
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 16:05:24 GMTServer: Apache/2.4.6 (CentOS) PHP/7.3.19Content-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 79 38 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dy8g/ was not found on this server.</p></body></html>
          Source: raserver.exe, 0000000D.00000002.513072851.00000000052E2000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmpString found in binary or memory: http://www.aizaibali.com/
          Source: raserver.exe, 0000000D.00000002.509297575.0000000003078000.00000004.00000020.sdmpString found in binary or memory: http://www.aizaibali.com/dy8g/?i8PHMrf=iLV9pktedYDy4Ry4OVO/uadmgyKbVGN
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.272445649.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: pMbPS8nCm1.exe, 00000001.00000002.248667021.000000000078A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004181D0 NtCreateFile,2_2_004181D0
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418280 NtReadFile,2_2_00418280
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418300 NtClose,2_2_00418300
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,2_2_004183B0
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00418222 NtCreateFile,2_2_00418222
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004183AA NtAllocateVirtualMemory,2_2_004183AA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99840 NtDelayExecution,LdrInitializeThunk,13_2_04C99840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99860 NtQuerySystemInformation,LdrInitializeThunk,13_2_04C99860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C995D0 NtClose,LdrInitializeThunk,13_2_04C995D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C999A0 NtCreateSection,LdrInitializeThunk,13_2_04C999A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99540 NtReadFile,LdrInitializeThunk,13_2_04C99540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_04C99910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C996D0 NtCreateKey,LdrInitializeThunk,13_2_04C996D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C996E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_04C996E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A50 NtCreateFile,LdrInitializeThunk,13_2_04C99A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99650 NtQueryValueKey,LdrInitializeThunk,13_2_04C99650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04C99660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99FE0 NtCreateMutant,LdrInitializeThunk,13_2_04C99FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99780 NtMapViewOfSection,LdrInitializeThunk,13_2_04C99780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99710 NtQueryInformationToken,LdrInitializeThunk,13_2_04C99710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C998F0 NtReadVirtualMemory,13_2_04C998F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C998A0 NtWriteVirtualMemory,13_2_04C998A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9B040 NtSuspendThread,13_2_04C9B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99820 NtEnumerateKey,13_2_04C99820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C999D0 NtCreateProcessEx,13_2_04C999D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C995F0 NtQueryInformationFile,13_2_04C995F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99950 NtQueueApcThread,13_2_04C99950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99560 NtWriteFile,13_2_04C99560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99520 NtWaitForSingleObject,13_2_04C99520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9AD30 NtSetContextThread,13_2_04C9AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A80 NtOpenDirectoryObject,13_2_04C99A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99670 NtQueryInformationProcess,13_2_04C99670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A00 NtProtectVirtualMemory,13_2_04C99A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99610 NtEnumerateValueKey,13_2_04C99610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A10 NtQuerySection,13_2_04C99A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99A20 NtResumeThread,13_2_04C99A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C997A0 NtUnmapViewOfSection,13_2_04C997A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A3B0 NtGetContextThread,13_2_04C9A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99760 NtOpenProcess,13_2_04C99760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99770 NtSetInformationFile,13_2_04C99770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A770 NtOpenThread,13_2_04C9A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99B00 NtSetValueKey,13_2_04C99B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C9A710 NtOpenProcessToken,13_2_04C9A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C99730 NtQueryVirtualMemory,13_2_04C99730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B81D0 NtCreateFile,13_2_009B81D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8280 NtReadFile,13_2_009B8280
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B83B0 NtAllocateVirtualMemory,13_2_009B83B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8300 NtClose,13_2_009B8300
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B8222 NtCreateFile,13_2_009B8222
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009B83AA NtAllocateVirtualMemory,13_2_009B83AA
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0040102E2_2_0040102E
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B8FB2_2_0041B8FB
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00408C6C2_2_00408C6C
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00408C702_2_00408C70
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041B57A2_2_0041B57A
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402D882_2_00402D88
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_0041C58A2_2_0041C58A
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6B09013_2_04C6B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D1100213_2_04D11002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6841F13_2_04C6841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C6D5E013_2_04C6D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04D21D5513_2_04D21D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C5F90013_2_04C5F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C50D2013_2_04C50D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C7412013_2_04C74120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C76E3013_2_04C76E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_04C8EBB013_2_04C8EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB8FB13_2_009BB8FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A8C7013_2_009A8C70
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A8C6C13_2_009A8C6C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2D9013_2_009A2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BC58A13_2_009BC58A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2D8813_2_009A2D88
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009BB57A13_2_009BB57A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 13_2_009A2FB013_2_009A2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04C5B150 appears 32 times
          Source: pMbPS8nCm1.exe, 00000001.00000003.243940877.0000000002406000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exe, 00000002.00000002.307872984.0000000000CBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exe, 00000002.00000002.308207312.0000000000D89000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs pMbPS8nCm1.exe
          Source: pMbPS8nCm1.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pMbPS8nCm1.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.pMbPS8nCm1.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pMbPS8nCm1.exe.6f0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.508769679.0000000002FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248608890.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.306388335.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.305709350.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.509446252.00000000032A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.246218201.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.506978172.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.305134983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@13/5
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2196:120:WilError_01
          Source: pMbPS8nCm1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: pMbPS8nCm1.exeVirustotal: Detection: 26%
          Source: pMbPS8nCm1.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeFile read: C:\Users\user\Desktop\pMbPS8nCm1.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\pMbPS8nCm1.exeProcess created: C:\Users\user\Desktop\pMbPS8nCm1.exe 'C:\Users\user\Desktop\pMbPS8nCm1.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pMbPS8nCm1.exe'Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: pMbPS8nCm1.exe, 00000001.00000003.245067685.0000000002480000.00000004.00000001.sdmp, pMbPS8nCm1.exe, 00000002.00000002.306527493.0000000000A10000.00000040.00000001.sdmp, raserver.exe, 0000000D.00000002.511116133.0000000004D4F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pMbPS8nCm1.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdbGCTL source: pMbPS8nCm1.exe, 00000002.00000002.308172933.0000000000D70000.00000040.00000001.sdmp

          Data Obfuscation: