{"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}
Source: Process started | Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\moni $@.exe' , ParentImage: C:\Users\user\Desktop\moni $@.exe, ParentProcessId: 3516, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 5996 |
Source: Process started | Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\moni $@.exe' , ParentImage: C:\Users\user\Desktop\moni $@.exe, ParentProcessId: 3516, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 5996 |
Source: www.panyu-qqbaby.com/weni/ | Avira URL Cloud: Label: malware |
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]} |
Source: www.panyu-qqbaby.com/weni/ | Virustotal: Detection: 6% | Perma Link |
Source: moni $@.exe | Virustotal: Detection: 39% | Perma Link |
Source: moni $@.exe | ReversingLabs: Detection: 34% |
Source: Yara match | File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\moni $@.exe | Unpacked PE file: 0.2.moni $@.exe.ff0000.0.unpack |
Source: moni $@.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED |
Source: moni $@.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: Malware configuration extractor | URLs: www.panyu-qqbaby.com/weni/ |
Source: moni $@.exe, 00000000.00000002.247463240.0000000003211000.00000004.00000001.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Yara match | File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY |
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: C:\Users\user\Desktop\moni $@.exe | Code function: 0_2_00007FFF2AF5629E | 0_2_00007FFF2AF5629E |
Source: moni $@.exe, 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameStoreElement.dllB vs moni $@.exe |
Source: moni $@.exe, 00000000.00000002.250882555.000000001BD70000.00000002.00000001.sdmp | Binary or memory string: OriginalFilenamemscorrc.dllT vs moni $@.exe |
Source: moni $@.exe, 00000000.00000002.246983941.000000000109A000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameAppDomainHand.exe6 vs moni $@.exe |
Source: moni $@.exe, 00000000.00000002.247121884.00000000014EC000.00000004.00000020.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs moni $@.exe |
Source: moni $@.exe, 00000000.00000002.247434414.00000000030F0000.00000004.00000001.sdmp | Binary or memory string: OriginalFilenameConfigNodeType.dll> vs moni $@.exe |
Source: moni $@.exe | Binary or memory string: OriginalFilenameAppDomainHand.exe6 vs moni $@.exe |
Source: moni $@.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED |
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: moni $@.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@11/1@0/0 |
Source: C:\Users\user\Desktop\moni $@.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\moni $@.exe.log | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Mutant created: \Sessions\1\BaseNamedObjects\CmNWJcEtJlScVAi |
Source: moni $@.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\moni $@.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: moni $@.exe | Virustotal: Detection: 39% |
Source: moni $@.exe | ReversingLabs: Detection: 34% |
Source: unknown | Process created: C:\Users\user\Desktop\moni $@.exe 'C:\Users\user\Desktop\moni $@.exe' | |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: moni $@.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: moni $@.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: C:\Users\user\Desktop\moni $@.exe | Unpacked PE file: 0.2.moni $@.exe.ff0000.0.unpack |
Source: C:\Users\user\Desktop\moni $@.exe | Code function: 0_2_00007FFF2AF57F13 push ebx; ret | 0_2_00007FFF2AF57F1A |
Source: C:\Users\user\Desktop\moni $@.exe | Code function: 0_2_00007FFF2AF5AC5D push edi; ret | 0_2_00007FFF2AF5AC66 |
Source: initial sample | Static PE information: section name: .text entropy: 7.91066136918 |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: Yara match | File source: 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: moni $@.exe PID: 3516, type: MEMORYSTR |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: WINE_GET_UNIX_FILE_NAME |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\moni $@.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe TID: 4852 | Thread sleep time: -38692s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe TID: 6136 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Thread delayed: delay time: 38692 | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: vmware |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: VMWARE |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: VMware SVGA II |
Source: moni $@.exe, 00000000.00000002.247523574.000000000328E000.00000004.00000001.sdmp | Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 |
Source: C:\Users\user\Desktop\moni $@.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Queries volume information: C:\Users\user\Desktop\moni $@.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\moni $@.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Yara match | File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.249181885.0000000013221000.00000004.00000001.sdmp, type: MEMORY |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.