Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTATION LIST FOR NEW ORDER.exe

Overview

General Information

Sample Name:QUOTATION LIST FOR NEW ORDER.exe
Analysis ID:458798
MD5:2a28a3e032a65c25b90f193621b623af
SHA1:019659bb43b5535a9684d9938aa73e98682b0a61
SHA256:317613289fb0cce8c301f63922883b30d54bbcdf1cb01bfa772244e03a07dfda
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION LIST FOR NEW ORDER.exe (PID: 5532 cmdline: 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe' MD5: 2A28A3E032A65C25B90F193621B623AF)
    • QUOTATION LIST FOR NEW ORDER.exe (PID: 4760 cmdline: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe MD5: 2A28A3E032A65C25B90F193621B623AF)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6056 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6068 cmdline: /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.appackersandmoversbengaluru.com/p4se/"], "decoy": ["weightlossforprofessionals.com", "talkotstopandshop.com", "everesttechsolutions.com", "garboarts.com", "esubastas-online.com", "electriclastmile.com", "tomio.tech", "jacoty.com", "knot-tied-up.com", "energychoicesim.com", "rocketcompaniessham.com", "madarasapattinam.com", "promosplace.com", "newstarchurch.com", "thesaleskitchen.com", "slingmodeinc.com", "jobresulthub.com", "pillclk.com", "shipu119.com", "sibalcar.com", "quotovate.com", "bluecoyotecontracting.com", "hc68kr.com", "laundry39.com", "vietthaivt.com", "ikonflorida.com", "xn--sm2b97e.com", "innovisional.co.uk", "spacecityscouples.com", "slmccallum.com", "hro41.com", "theyardcardzstore.com", "primewildlife.com", "xn--seranderturzm-ebc.com", "stilesandhansen.com", "bvlesty.com", "hejiayin.com", "philosophersdojo.com", "aworldofsofas.com", "itile.net", "unitronicdealers.com", "savasoguz.com", "magetu.info", "devgmor.com", "villasabai.com", "pipipenguin.com", "furnishessentials.com", "patchmonitoring.com", "michaelhumphriesrealestate.com", "pratikahealth.com", "caswellcu.com", "lakeportal.com", "weedyourmind.com", "cardamommm.com", "freshstartrestorationllcmd.com", "mastercardbhdleon.com", "ceramiccottageco.com", "magiczneszkielka.com", "casebookconnet.com", "recharge.directory", "phoneprivacyscreen.com", "mumbaindicator.com", "jumboprovacy.com", "streamerdojo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.appackersandmoversbengaluru.com/p4se/"], "decoy": ["weightlossforprofessionals.com", "talkotstopandshop.com", "everesttechsolutions.com", "garboarts.com", "esubastas-online.com", "electriclastmile.com", "tomio.tech", "jacoty.com", "knot-tied-up.com", "energychoicesim.com", "rocketcompaniessham.com", "madarasapattinam.com", "promosplace.com", "newstarchurch.com", "thesaleskitchen.com", "slingmodeinc.com", "jobresulthub.com", "pillclk.com", "shipu119.com", "sibalcar.com", "quotovate.com", "bluecoyotecontracting.com", "hc68kr.com", "laundry39.com", "vietthaivt.com", "ikonflorida.com", "xn--sm2b97e.com", "innovisional.co.uk", "spacecityscouples.com", "slmccallum.com", "hro41.com", "theyardcardzstore.com", "primewildlife.com", "xn--seranderturzm-ebc.com", "stilesandhansen.com", "bvlesty.com", "hejiayin.com", "philosophersdojo.com", "aworldofsofas.com", "itile.net", "unitronicdealers.com", "savasoguz.com", "magetu.info", "devgmor.com", "villasabai.com", "pipipenguin.com", "furnishessentials.com", "patchmonitoring.com", "michaelhumphriesrealestate.com", "pratikahealth.com", "caswellcu.com", "lakeportal.com", "weedyourmind.com", "cardamommm.com", "freshstartrestorationllcmd.com", "mastercardbhdleon.com", "ceramiccottageco.com", "magiczneszkielka.com", "casebookconnet.com", "recharge.directory", "phoneprivacyscreen.com", "mumbaindicator.com", "jumboprovacy.com", "streamerdojo.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: QUOTATION LIST FOR NEW ORDER.exeVirustotal: Detection: 61%Perma Link
          Source: QUOTATION LIST FOR NEW ORDER.exeMetadefender: Detection: 37%Perma Link
          Source: QUOTATION LIST FOR NEW ORDER.exeReversingLabs: Detection: 63%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: QUOTATION LIST FOR NEW ORDER.exeJoe Sandbox ML: detected
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe, 0000000C.00000002.516057002.00000000048CF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 4x nop then pop ebx10_2_00406A9F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx12_2_03046A9F

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.appackersandmoversbengaluru.com/p4se/
          Source: global trafficHTTP traffic detected: GET /p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg== HTTP/1.1Host: www.everesttechsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
          Source: Joe Sandbox ViewASN Name: SUDDENLINK-COMMUNICATIONSUS SUDDENLINK-COMMUNICATIONSUS
          Source: global trafficHTTP traffic detected: GET /p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg== HTTP/1.1Host: www.everesttechsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.everesttechsolutions.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261422144.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.335006943.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247644835.00000000059F0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-sQE1s/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh-s
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252430930.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253893243.00000000059CC000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253053283.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers6M
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253270152.00000000059F1000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254053171.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254053171.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersGN
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252531304.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255121412.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com9
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFk
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252917416.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comY
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252701033.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254519056.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253506597.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253137868.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd3
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd:
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed3
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261741820.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261741820.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252567447.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como8
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comto
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.257287203.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.256992965.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/(
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.258690188.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmO;
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/(
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/xS
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248396955.00000000059F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255135599.00000000059FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255181502.00000000059FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dej
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_004181B0 NtCreateFile,10_2_004181B0
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00418260 NtReadFile,10_2_00418260
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_004182E0 NtClose,10_2_004182E0
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00418390 NtAllocateVirtualMemory,10_2_00418390
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041825D NtReadFile,10_2_0041825D
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041838C NtAllocateVirtualMemory,10_2_0041838C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819840 NtDelayExecution,LdrInitializeThunk,12_2_04819840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,12_2_04819860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048199A0 NtCreateSection,LdrInitializeThunk,12_2_048199A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048195D0 NtClose,LdrInitializeThunk,12_2_048195D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_04819910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819540 NtReadFile,LdrInitializeThunk,12_2_04819540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048196D0 NtCreateKey,LdrInitializeThunk,12_2_048196D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_048196E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819650 NtQueryValueKey,LdrInitializeThunk,12_2_04819650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A50 NtCreateFile,LdrInitializeThunk,12_2_04819A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04819660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819780 NtMapViewOfSection,LdrInitializeThunk,12_2_04819780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819FE0 NtCreateMutant,LdrInitializeThunk,12_2_04819FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819710 NtQueryInformationToken,LdrInitializeThunk,12_2_04819710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048198A0 NtWriteVirtualMemory,12_2_048198A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048198F0 NtReadVirtualMemory,12_2_048198F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819820 NtEnumerateKey,12_2_04819820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481B040 NtSuspendThread,12_2_0481B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048199D0 NtCreateProcessEx,12_2_048199D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048195F0 NtQueryInformationFile,12_2_048195F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819520 NtWaitForSingleObject,12_2_04819520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481AD30 NtSetContextThread,12_2_0481AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819950 NtQueueApcThread,12_2_04819950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819560 NtWriteFile,12_2_04819560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A80 NtOpenDirectoryObject,12_2_04819A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A00 NtProtectVirtualMemory,12_2_04819A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819610 NtEnumerateValueKey,12_2_04819610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A10 NtQuerySection,12_2_04819A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A20 NtResumeThread,12_2_04819A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819670 NtQueryInformationProcess,12_2_04819670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048197A0 NtUnmapViewOfSection,12_2_048197A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481A3B0 NtGetContextThread,12_2_0481A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819B00 NtSetValueKey,12_2_04819B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481A710 NtOpenProcessToken,12_2_0481A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819730 NtQueryVirtualMemory,12_2_04819730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819760 NtOpenProcess,12_2_04819760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819770 NtSetInformationFile,12_2_04819770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481A770 NtOpenThread,12_2_0481A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03058390 NtAllocateVirtualMemory,12_2_03058390
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03058260 NtReadFile,12_2_03058260
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_030582E0 NtClose,12_2_030582E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_030581B0 NtCreateFile,12_2_030581B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305838C NtAllocateVirtualMemory,12_2_0305838C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305825D NtReadFile,12_2_0305825D
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0040102610_2_00401026
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0040103010_2_00401030
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041C08910_2_0041C089
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041C8A410_2_0041C8A4
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041BAC810_2_0041BAC8
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041BB2610_2_0041BB26
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00408C4B10_2_00408C4B
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00408C5010_2_00408C50
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B49310_2_0041B493
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B49610_2_0041B496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A012_2_048020A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A20A812_2_048A20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E841F12_2_047E841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0489100212_2_04891002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EB09012_2_047EB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480258112_2_04802581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D0D2012_2_047D0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F412012_2_047F4120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DF90012_2_047DF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A2D0712_2_048A2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047ED5E012_2_047ED5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A1D5512_2_048A1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F6E3012_2_047F6E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A2EF712_2_048A2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480EBB012_2_0480EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A1FF112_2_048A1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305C8A412_2_0305C8A4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03042FB012_2_03042FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305C57812_2_0305C578
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03042D9012_2_03042D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03048C4B12_2_03048C4B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03048C5012_2_03048C50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B49612_2_0305B496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 047DB150 appears 35 times
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000000.242234639.00000000006CC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000009.00000002.302259006.00000000001DC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.375144383.000000000139F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000000.304360441.00000000006DC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exeBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@5/2
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION LIST FOR NEW ORDER.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: QUOTATION LIST FOR NEW ORDER.exeVirustotal: Detection: 61%
          Source: QUOTATION LIST FOR NEW ORDER.exeMetadefender: Detection: 37%
          Source: QUOTATION LIST FOR NEW ORDER.exeReversingLabs: Detection: 63%
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic file information: File size 1347072 > 1048576
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x148400
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe, 0000000C.00000002.516057002.00000000048CF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0040607C push esi; ret 10_2_0040607D
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041BAC8 push dword ptr [B7831292h]; ret 10_2_0041BB25
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041A2E5 push es; ret 10_2_0041A327
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041C2AF pushad ; iretd 10_2_0041C2B0
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0040C376 push es; ret 10_2_0040C377
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B3F2 push eax; ret 10_2_0041B3F8
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B3FB push eax; ret 10_2_0041B462
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B3A5 push eax; ret 10_2_0041B3F8
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B45C push eax; ret 10_2_0041B462
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00415C8D push esi; retf 10_2_00415C9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0482D0D1 push ecx; ret 12_2_0482D0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0304C376 push es; ret 12_2_0304C377
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B3A5 push eax; ret 12_2_0305B3F8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B3F2 push eax; ret 12_2_0305B3F8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B3FB push eax; ret 12_2_0305B462
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305C2AF pushad ; iretd 12_2_0305C2B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305A2E5 push es; ret 12_2_0305A327
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305BAF4 push dword ptr [B7831292h]; ret 12_2_0305BB25
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0304607C push esi; ret 12_2_0304607D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03054E36 push edx; iretd 12_2_03054E45
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03055599 push ds; ret 12_2_0305559A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B45C push eax; ret 12_2_0305B462
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03055C8D push esi; retf 12_2_03055C9B
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77803780051
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX